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There were no high vulnerabilities recorded this week. 
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Primary ae : CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding ? 7 
security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote iia 
code execution (RCE) attack when a configuration uses a JDBC MISC 
apache -- log4j Appender with a JNDI LDAP data source URI when an attacker 2021-12-28 6 MLIST 
has control of the target LDAP server. This issue is fixed by CONFIRM 
limiting JNDI data source names to the java protocol in Log4j2 MLIST 
versions 2.17.1, 2.12.4, and 2.3.2. = 
: : eo age CVE-2021-4169 
a À livehelperchat is vulnerable to Improper Neutralization of Input ie ~ 
livehelperchat=live helperehat During Web Page Generation ('Cross-site Scripting’) eae 43 o 
CVE-2021-45471 
nee aie In MediaWiki through 1.37, blocked IP addresses are allowed to MISC 
mediawiki -- mediawiki edit EntitySchema items. 2021-12-24 5 MISC 
MISC 
In MediaWiki through 1.37, XSS can occur in Wikibase because 
mediawiki - mediawiki an external identifier property can have a URL format that includes 2021-12-24 43 ae =a 
a $1 formatter substitution marker, and the javascript: URL Ez MISC 
scheme (among others) can be used. fo 
In MediaWiki through 1.37, Wikibase item descriptions allow XSS, CVE-2021-45473 
mediawiki -- mediawiki which is triggered upon a visit to an action=info URL (aka a page- || 2021-12-24 4.3 MISC 
information sidebar). MISC 
In MediaWiki through 1.37, the Special:lmportFile URI (aka CVE-2021-45474 
mediawiki -- mediawiki Filelmporter) allows XSS, as demonstrated by the clientUr| 2021-12-24 4.3 MISC 
parameter. MISC 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, CVE-2021-45584 
netgear -- rbk752_ firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 5.2 Msc 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before e 
3.2.16.6. 
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invoiceninja -- invoice_ninja 











invoiceninja is vulnerable to Improper Neutralization of Input 
During Web Page Generation ('Cross-site Scripting’) 
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CVE-2021-3977 
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Primary ae F CVSS Source & Patch 
Vendor -- Product Description Puplisned Score Info 
Certain NETGEAR devices are affected by incorrect configuration 
of security settings. This affects AC2100 before 1.2.0.88, AC2400 
before 1.2.0.88, AC2600 before 1.2.0.88, R6220 before 1.1.0.110, 
R6230 before 1.1.0.110, R6260 before 1.1.0.84, R6330 before 2021-12-26 not yet ||CVE-2021-45644 
netgear -- ac2600_firmware 1.1.0.84, R6350 before 1.1.0.84, R6700v2 before 1.2.0.88, R6800 calculated |MISC 
before 1.2.0.88, R6850 before 1.1.0.84, R6900v2 before 1.2.0.88, 
R7200 before 1.2.0.88, R7350 before 1.2.0.88, R7400 before 
1.2.0.88, and R7450 before 1.2.0.88. 
Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects D7000v2 before 
1.0.0.66, D8500 before 1.0.3.58, R7000 before 1.0.11.110, 
e cena Ae R7100LG before 1.0.0.72, R7900 before 1.0.4.30, R8000 before | 2021-12-26 | TOtyel  [-ve-2021-A0624 
g = 1.0.4.62, XR300 before 1.0.3.56, R7000P before 1.3.2.132, a 
R8500 before 1.0.2.144, R6900P before 1.3.2.132, and R8300 
before 1.0.2.144. 
; : An arbitrary file download and execution vulnerability was found in 
pn ecuidepemnte the VideoOffice X2.9 and earlier versions (CVE-2020-7878). This || 2021-12-28 || _Notyet |CVE-2020-7878 
: ; P : : calculated ||MISC 
issue is due to missing support for integrity check. 
actix:ccagtixneweb An issue was discovered in the actix-web crate before 0.7.15 for not vet CVE-2018-25025 
Rust. It can unsoundly extend the lifetime of a string, leading to 2021-12-27 y MISC 
: calculated 
memory corruption. MISC 
acti: = actixcweb: An issue was discovered in the actix-web crate before 0.7.15 for not vet CVE-2018-25024 
Rust. It can unsoundly coerce an immutable reference into a 2021-12-27 y MISC 
‘ - calculated 
mutable reference, leading to memory corruption. MISC 
hetis- actixweb An issue was discovered in the actix-web crate before 0.7.15 for notvét CVE-2018-25026 
Rust. It can add the Send marker trait to an object that cannot be || 2021-12-27 y MISC 
: : calculated 
sent between threads safely, leading to memory corruption. MISC 
In Apache APISIX Dashboard before 2.10.1, the Manager API 
uses two frameworks and introduces framework ‘droplet’ on the CVE-2021-45232 
apache -- apisix_dashboard basis of framework ‘gin’, all APIs and authentication middleware 2021-12-27 not yet CONFIRM 
are developed based on framework ‘droplet’, but some API calculated MLIST 
directly use the interface of framework ‘gin’ thus bypassing the = 
authentication. 
archivy -- archivy not yet CVE-2021-4162 
archivy is vulnerable to Cross-Site Request Forgery (CSRF) 2021-12-25 CONFIRM 
calculated MISC 
seus ertn53 devices ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow Aol vet CVE-2019-20082 
= via a long lan_dns1_x or lan_dns2_x parameter to 2021-12-28 enced MISC 
[AAdvanced_LAN_Content.asp. MISC 
Attendance Management System 1.0 is affected by a Cross Site 
Scripting (XSS) vulnerability. The value of the FirstRecord request 
attendance_management_system - ||parameter is copied into the value of an HTML tag attribute which £ 5 
- attendance_management_system ||is encapsulated in double quotation marks. The attacker can 2021-12-26 Roet hee 
access the system, by using the XSS-reflected method, and then B 
can store information by injecting the admin account on this 
system. 
CVE-2021-45890 
authguard -- authguard basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows 2021-12-27 not yet RET 
authentication via an inactive identifier. calculated MISC 
MISC 
Privilege escalation vulnerability in Avast Antivirus prior to 20.4 
Svasti-cantiviris allows a local user to gain elevated privileges by "hollowing" 2024-12-27 not yet hee 
trusted process which could lead to the bypassing of Avast self- calculated MISC 
defense. ——— 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
7 Privilege escalation vulnerability in the Sandbox component of CVE-2021-45336 
avast -- antivirus Avast Antivirus prior to 20.4 allows a local sandboxed code to gain 2024-12-27 not yet Msc 
elevated privileges by using system IPC interfaces which could calculated MISC 
lead to exit the sandbox and acquire SYSTEM privileges. Eue 
Privilege escalation vulnerability in the Self-Defense driver of 
Avast antvirls Avast Antivirus prior to 20.8 allows a local user with SYSTEM not vet CVE-2021-45337 
privileges to gain elevated privileges by "hollowing" process 2021-12-27 dcued MISC 
wsc_proxy.exe which could lead to acquire antimalware (AM-PPL) MISC 
protection. 
Multiple privilege escalation vulnerabilities in Avast Antivirus prior CVE-2021-45338 
svasta antivirus to 20.4 allow a local user to gain elevated privileges by calling ok vet MISC 
unnecessarily powerful internal methods of the main antivirus 2021-12-27 aed MISC 
service which could lead to the (1) arbitrary file delete, (2) write MISC 
and (3) reset security. MISC 
Sandbox component in Avast Antivirus prior to 20.4 has an 
avast -- antivirus insecure permission which could be abused by local user to not yet E202) -Sae35 
i 2021-12-27 MISC 
control the outcome of scans, and therefore evade detection or calculated MISC 
delete arbitrary system files. D 
An issue was discovered in BS_RCIO64.sys in Biostar RACING 
GT Evo 2.1.1905.1700. A low-integrity process can open the 
biostar -- racing_gt_evo driver's device object and issue IOCTLs to read or write to not yet ||CVE-2021-44852 
; : : F 2022-01-01 
arbitrary physical memory locations (or call an arbitrary address), calculated ||MISC 
leading to execution of arbitrary code. This is associated with 
0x226040, 0x226044, and 0x226000. 
Bitmask Riseup VPN 0.21.6 contains a local privilege escalation 
flaw due to improper access controls. When the software is 
installed with a non-default installation directory off of the system 
bitmask -- riseup root, the installer fails to properly set ACLs. This allows lower 2021-12-30 not yet ||CVE-2021-44466 
privileged users to replace the VPN executable with a malicious calculated |MISC 
one. When a higher privileged user such as an Administrator 
launches that executable, it is possible for the lower privileged 
user to escalate to Administrator privileges. 
In Brave Desktop 1.17 through 1.33 before 1.33.106, when 
CNAME-based adblocking and a proxying extension with a CVE-2021-45884 
brave brave deskto SOCKS fallback are enabled, additional DNS requests are issued iotyet MISC 
= P outside of the proxying extension using the system's DNS 2021-12-27 Sacie MISC 
settings, resulting in information disclosure. NOTE: this issue MISC 
exists because of an incomplete fix for CVE-2021-21323 and MISC 
CVE-2021-22916. 
Carinal Tien Hospital Health Report System’s login page has 
Banna: improper authentication, a remote attacker can acquire another 
: : general user’s privilege by modifying the cookie parameter without ETE not yet ||CVE-2021-44160 
ten. hospital healthrèport system authentication. The attacker can then perform limited operations 2021512729 calculated ||MISC 
on the system or modify data, making the service partially 
unavailable to the user. 
This affects the package celery before 5.2.2. It by default trusts 
the messages and metadata stored in backends (result stores). 
belei cele When reading task metadata from the backend, the data is notvet CVE-2021-23727 
ry y deserialized. Given that an attacker can gain access to, or 2021-12-29 ech aaed MISC 
somehow manipulate the metadata within a celery backend, they MISC 
could trigger a stored command injection vulnerability and 
potentially gain further access to the system. 
cscms -- cscms An issue in the user login box of CSCMS v4.0 allows attackers to 2021-12-27 not yet CVE-2020-21238 
hijack user accounts via brute force attacks. calculated |MISC 
; ; A vulnerability in /damicms-master/admin.php?s=/Article/doedit of 
damicms = damicms DamiCMS v6.0 allows attackers to compromise and impersonate 2021-12-27 a ae 
user accounts via obtaining a user's session cookie. re 
ramiai A The Datalogic DXU service on (for example) DL-Axist devices CVE-2021-43333 
d-axist = devices does not require authentication for configuration changes or 2022-01-01 ete MISC 
disclosure of configuration settings. CONFIRM 
CVE-2021-44896 
dmp -- roadmap not yet MISC 
DMP Roadmap before 3.0.4 allows XSS. 2022-01-01 calculated MISC 
MISC 
dneimasa c= dnsmas Dnsmasq 2.86 has a heap-based buffer overflow in not vet CVE-2021-45957 
q q answer_request (called from FuzzAnswerTheRequest and 2022-01-01 eaieaied MISC 
fuzz_rfc1035.c). MISC 
anemasars dnsmas Dnsmasq 2.86 has a heap-based buffer overflow in ot vet CVE-2021-45951 
q q check_bad_address (called from check_for_bogus_wildcard and 2022-01-01 eas ted MISC 
FuzzCheckForBogusWildcard). MISC 
dnsmasq -- dnsmasq Dnsmasq 2.86 has a heap-based buffer overflow in print_mac not yet CVE-2021-45956 
2022-01-01 MISC 
(called from log_packet and dhcp_reply). calculated MISC 
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written data, and (to some extent) control over the amount of data 
that is written. 

















Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published | Score Info 
dnsmasq -- dnsmasq Dnsmasq 2.86 has a heap-based buffer overflow in dhcp_reply 2022-01-04 not yet 1 ee 
(called from dhcp_packet and FuzzDhcp). calculated MISC 
Dnsmasq 2.86 has a heap-based buffer overflow in extract_name not yet CVE-2021-45953 
dnsmasq -- dnsmasq j : 2022-01-01 MISC 
(called from hash_questions and fuzz_util.c). calculated MISC 
dnsmasq -- dnsmasq Dnsmasq 2.86 has a heap-based buffer overflow in extract_name 2022-01-01 not yet 1 AEN 
(called from answer_auth and FuzzAuth). calculated MISC 
dnsmasq -- dnsmasq Dnsmasq 2.86 has a heap-based buffer overflow in resize_packet 2022-01-04 not yet wee 
(called from FuzzResizePacket and fuzz_rfc1035.c). calculated MISC 
elgg -- elgg elgg is vulnerable to Improper Neutralization of Input During Web not yet es 
er : mop 2021-12-24 MISC 
Page Generation ('Cross-site Scripting') calculated CONFIRM 
Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: CVE-2021-45427 
emerson -- xweb_300d_evo unauthenticated arbitrary file deletion due to path traversal. An 2021-12-30 not yet MISC 
attacker can browse and delete files without any authentication calculated |MISC 
due to incorrect access control and directory traversal. MISC 
Emuse - eServices / eNvoice SQL injection can be used in various 
ways ranging from bypassing login authentication or dumping the 
; ; whole database to full RCE on the affected endpoints. The SQLi 
emuse -- eservices_and_envoice caused by CWE-209: Generation of Error Message Containig 2021-12-29 notyet i Am O tie 
8 : : calculated |CONFIRM 
Sensetive Information, showing parts of the aspx code and the 
webroot location , information an attacker can leverage to further 
compromise the host. 
F ; Emuse - eServices / eNvoice Exposure Of Private Personal 
cmüse z services and: envoie Information due to lack of identification mechanisms and 2021-12-29 not yet |CVE-2021-36723 
A i > calculated |CONFIRM 
predictable IDs an attacker can scrape all the files on the service. 
The WinRin0x64.sys and WinRingO.sys low-level drivers in EVGA 
evga -- precision_xoc Precision XOC version v6.2.7 were discovered to be configured 2021-12-28 not yet ||CVE-2020-22057 
with the default security descriptor which allows attackers to calculated |MISC 
access sensitive components and data. 
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) CVE-2021-45960 
expat -- expat places in the storeAtts function in xmlparse.c can lead to realloc 2022-01-01 not yet MISC 
misbehavior (e.g., allocating too few bytes, or only freeing calculated |MISC 
memory). MISC 
FATEK WinProladder Versions 3.30_24518 and prior are 
fatek -- winproladder vulnerable to a stack-based buffer overflow while processing 2021-12-28 not yet |CVE-2021-43556 
project files, which may allow an attacker to execute arbitrary calculated |MISC 
code. 
; FATEK WinProladder Versions 3.30_24518 and prior are 
ateka winpralaader vulnerable to an out-of-bounds write while processing project files, | 2021-12-28 a a 
which may allow an attacker to execute arbitrary code. e 
ForeScout - SecureConnector Local Service DoS - A low 
forescout -- privilaged user which doesn't have permissions to shutdown the 
secureconnector_local_service secure connector service writes a large amount of characters in 2021-12-29 ae d o 
the installationPath. This will cause the buffer to overflow and B 
override the stack cookie causing the service to crash. 
GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in e aad 
gdal -- gdal PCIDSK::CPCIDSKFile::ReadFromFile (called from 2022-01-01 not yet MISC 
PCIDSK::CPCIDSKSegment::ReadFromFile and calculated MISC 
PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment). MISC 
Gerapy is a distributed crawler management framework. Gerapy [e E A 
gerapy -- gerapy : : ; : PEE not yet ||CONFIRM 
prior to version 0.9.8 is vulnerable to remote code execution, and 2021-12-27 
ite . ; à calculated ||MISC 
this issue is patched in version 0.9.8. MISC 
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in not vet CVE-2021-45944 
ghostscript -- ghostpdl sampled_data_sample (called from sampled_data_continue and 2022-01-01 y MISC 
: calculated 
interp). MISC 
P CVE-2021-45949 
ee Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based ns ~ 
ghostscript -- ghostpdl buffer overflow in sampled_data_finish (called from 2022-01-01 | notyet [MISC 
: calculated |MISC 
sampled_data_continue and interp). MISC 
An issue was discovered in gif2apng 1.9. There is a heap-based 
buffer overflow within the main function. It allows an attacker to 
z ; write data outside of the allocated buffer. The attacker has control not yet |CVE-2021-45910 
gif2apng -- gif2apng over a part of the address that data is written to, control over the 2021-12-28 || calculated MISC 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
An issue was discovered in gif2apng 1.9. There is a heap-based 
: j buffer overflow vulnerability in the DecodeLZW function. It allows not yet ||CVE-2021-45909 
gif2apng -- gif2apng an attacker to write a large amount of arbitrary data outside the 2021-12-28 || calculated [MISC 
boundaries of a buffer. 
An issue was discovered in gif2apng 1.9. There is a stack-based 
p ; buffer overflow involving a for loop. An attacker has little influence not yet ||CVE-2021-45907 
gif2apng -- gif2apng over the data written to the stack, making it unlikely that the flow of 2021-12-28 || calculated ||MISC 
control can be subverted. 
An issue was discovered in gif2apng 1.9. There is a stack-based 
P : buffer overflow involving a while loop. An attacker has little not yet ||CVE-2021-45908 
gif2apng -- gif2apng influence over the data written to the stack, making it unlikely that 2021-12-28 || calculated |MISC 
the flow of control can be subverted. 
. 3 An issue was discovered in gif2apng 1.9. There is a heap-based 
gif2apng -- gif2apng buffer overflow in the main function. It allows an attacker to write 2 || 2021-12-28 Pia ae oo 
bytes outside the boundaries of the buffer. a 
The giftrans function in giftrans 1.12.2 contains a stack-based CVE-2021-45972 
giftrans -- giftrans buffer overflow because a value inside the input file determines 2022-01-01 not yet MISC 
the amount of data to write. This allows an attacker to overwrite up calculated |MISC 
to 250 bytes outside of the allocated buffer with arbitrary data. MISC 
lawiwvd~ alewhwya Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access not vet CVE-2021-45379 
9 yag y control vulnerability. One user can attempt to log in as another 2021-12-30 saisucted MISC 
user without its password. MISC 
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows 
9o ~- go uncontrolled memory consumption in the header canonicalization || 2022-01-01 e r enm ~ 
cache via HTTP/2 requests. RETE 
Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write 
go -- go operations to an unintended file or unintended network connection 2022-01-01 not yet ||CVE-2021-44717 
as a consequence of erroneous closing of file descriptor 0 after calculated |CONFIRM 
file-descriptor exhaustion. 
An improper authentication vulnerability has been reported to 
_ > affect Android App Qfile. If exploited, this vulnerability allows g z 
google -android attackers to compromise app and access information We have 2021-12-29 oa F 
already fixed this vulnerability in the following versions of Qfile: = 
Qfile 3.0.0.1105 and later 
Grok 9.5.0 has a heap-based buffer overflow in CVE-2021-45935 
grok -- grok openhtj2k::T1OpenHTJ2K::decompress (called from 2022-01-01 not yet MISC 
std::__1::__packaged_task_func<std::__1::__bind<grk::T1 Decompte EEr: eatculated ||MISC 
and std::_1::packaged_task<int). MISC 
Path traversal vulnerability in GroupSession Free edition ver5.1.1 
and earlier, GroupSession byCloud ver5.1.1 and earlier, and CVE-2021-20876 
groupsession -- bycloud_and_zion ||GroupSession ZION ver5.1.1 and earlier allows an attacker with hotyet | a. = 
pi : ss : iad : ; 2021-12-24 MISC 
an administrative privilege to obtain sensitive information stored in calculated MISC 
the hierarchy above the directory on the published site's server via p 
unspecified vectors. 
Incorrect permission assignment for critical resource vulnerability 
in GroupSession Free edition ver5.1.1 and earlier, GroupSession CVE-2021-20874 
groupsession -- bycloud_and_zion ||/byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 2021-12-24 not yet Msc 
and earlier allows a remote unauthenticated attacker to access calculated MISC 
arbitrary files on the server and obtain sensitive information via ae 
unspecified vectors. 
Open redirect vulnerability in GroupSession Free edition ver5.1.1 
and earlier, GroupSession byCloud ver5.1.1 and earlier, and 
rouipsession:(bcloudand zion GroupSession ZION ver5.1.1 and earlier allows a remote 2021-12-24 not yet oo 
group y Sore unauthenticated attacker to redirect users to arbitrary web sites calculated MISC 
and conduct phishing attacks by having a user to access a TE 
specially crafted URL. 
HarfBuzz 2.9.0 has an out-of-bounds write in ak vet Leese 
harfbuzz-- harfbuzz hb_bit_set_invertible_t::set (called from 2022-01-01 saisi ted MISC 
hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy). MISC 
f iBall WRD12EN 1.0.0 devices allow cross-site request forgery CVE-2020-29292 
pawie (CSRF) attacks as demonstrated by enabling DNS settings or 2021-12-30 || pet yet | limisc 
modifying the range for IP addresses. MISC 
IBM OPENBMC OP910 is vulnerable to cross-site scripting. This 
ibmieetorce vulnerability allows users to embed arbitrary JavaScript code in not vet CVE-2021-38961 
the Web UI thus altering the intended functionality potentially 2021-12-27 sera CONFIRM 
leading to credentials disclosure within a trusted session. IBM X- XE 
Force ID: 212049. 
IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This 
bme xtorce vulnerability allows users to embed arbitrary JavaScript code in not vet CVE-2021-38876 
the Web UI thus altering the intended functionality potentially 2021-12-30 aicu CONFIRM 
leading to credentials disclosure within a trusted session. IBM X- XF 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Unprotected transport of credentials vulnerability in IDEC PLCs 
(FC6A Series MICROSmart All-in-One CPU module v2.32 and 
earlier, FC6A Series MICROSmart Plus CPU module v1.91 and 
earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and 
idec -- idec earlier, and Data File Manager v2.12.1 and earlier) allows an 2021-12-24 not yet -o 
attacker to obtain the PLC Web server user credentials from the calculated MISC 
communication between the PLC and the software. As a result, = 
the complete access privileges to the PLC Web server may be 
obtained, and manipulation of the PLC output and/or suspension 
of the PLC may be conducted. 
Plaintext storage of a password vulnerability in IDEC PLCs (FC6A 
Series MICROSmart All-in-One CPU module v2.32 and earlier, 
FC6A Series MICROSmart Plus CPU module v1.91 and earlier, 
WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, 
idec -- idec and Data File Manager v2.12.1 and earlier) allows an attacker to 2021-12-24 not yet ae =e 
obtain the PLC Web server user credentials from file servers, calculated MISC 
backup repositories, or ZLD files saved in SD cards. As a result, = 
the attacker may access the PLC Web server and hijack the PLC, 
and manipulation of the PLC output and/or suspension of the PLC 
may be conducted. 
An attacker may obtain the user credentials from file servers, we 
idec -- multiple_products backup repositories, or ZLD files saved in SD cards. As a result, 2021-12-28 not yet MISC 
the PLC user program may be uploaded, altered, and/or calculated MISC 
downloaded. MISC 
An attacker may obtain the user credentials from the ao = 
idec -- multiple_products communication between the PLC and the software. As a result, 2021-12-28 not yet MISC 
the PLC user program may be uploaded, altered, and/or calculated MISC 
downloaded. MISC 
In &#x201C;ifme&#x201D;, versions 1.0.0 to v7.31.4 are 
ifme.--ifmé vulnerable against stored XSS vulnerability in the markdown 2021-12-29 not yet nel 
editor. It can be exploited by making a victim a Leader of a group calculated CONFIRM 
which triggers the payload for them. = 
re ae In &#x201C;ifme&#x201D;, versions v7.22.0 to v7.31.4 are not vat CVE-2021-25990 
vulnerable against self-stored XSS in the contacts field as it allows|| 2021-12-29 alcuni MISC 
loading XSS payloads fetched via an iframe. CONFIRM 
In Ifme, versions v5.0.0 to v7.32 are vulnerable against an 
ifme -- ifme improper access control, which makes it possible for admins to not yet ee 
À ean 2021-12-29 MISC 
ban themselves leading to their deactivation from Ifme account calculated CONFIRM 
and complete loss of admin access to Ifme. Re 
In &#x201C;ifme&#x201D;, versions 1.0.0 to v7.31.4 are 
ifme -- ifme vulnerable against stored XSS vulnerability (notifications section) 2021-12-29 not yet — 
which can be directly triggered by sending an ally request to the calculated Msc 
admin. ——= 
The standard access path of the IntelliBridge EC 40 and 60 Hub 
intellibridge -- ec_40_and_60_hub |(C.00.04 and prior) requires authentication, but the product has an|| 2021-12-27 || _notyet CVE-2021-33017 
F ae calculated |MISC 
alternate path or channel that does not require authentication. 
IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard- 
F Be coded credentials, such as a password or a cryptographic key, 
intellibridge -- ec_40_and_60_hub Which it uses for its own inbound authentication, outbound 2021-12-27 Pe can ao 
communication to external components, or encryption of internal e 
data. 
This affects all versions of package github.com/kataras/iris; all 
versions of package github.com/kataras/iris/v12. The unsafe CVE-2021-23772 
Bos ae : : : A $ not yet ||CONFIRM 
iris -- iris handling of file names during upload using UploadFormFiles 2021-12-24 calculated |CONFIRM 
method may enable attackers to write to arbitrary locations outside CONFIRM 
the designated target folder. ees 
: : An arbitrary file download vulnerability in jeecg v3.8 allows 
i -= el attackers to access sensitive files via modification of the 2021-12-27 ene He d oe 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
jQuery Terminal Emulator is a plugin for creating command line 
interpreters in your applications. Versions prior to 2.31.1 contain a 
low impact and limited cross-site scripting (XSS) vulnerability. The 
code for XSS payload is always visible, but an attacker can use 
other techniques to hide the code the victim sees. If the 
application uses the ‘execHash’ option and executes code from CVE-2021-43862 
iauerv= teminat emulator URL, the attacker can use this URL to execute their code. The nótvet CONFIRM 
jquery = scope is limited because the javascript attribute used is added to 2021-12-30 caine MISC 
span tag, so no automatic execution like with ‘onerror’ on images MISC 
is possible. This issue is fixed in version 2.31.1. As a workaround, MISC 
the user can use formatting that wrap whole user input and its no 
op. The code for this workaround is available in the GitHub 
Security Advisory. The fix will only work when user of the library is 
not using different formatters (e.g. to highlight code in different 
way). 
CVE-2021-23574 
All versions of package js-data are vulnerable to Prototype COEIRE 
js-data -- js-data Pollution via the deepFillln and the set functions. This is an 2021-12-24 not yet CONFIRM 
incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS- calculated CONFIRM 
JSDATA-1023655). CONFIRM 
CONFIRM 
MinlO is a Kubernetes native application for cloud storage. Prior to 
version “RELEASE.2021-12-27T07-23-18Z', a malicious client 
can hand-craft an HTTP API call that allows for updating policy for ein 
kübērnetes minio a user and gaining higher privileges. The patch in version not yet MISC 
*RELEASE.2021-12-27T07-23-18Z changes the accepted 2021-12-27 sei ioe MISC 
request body type and removes the ability to apply policy changes CONFIRM 
through this API. There is a workaround for this vulnerability: Msc 
Changing passwords can be disabled by adding an explicit Deny” a 
rule to disable the API for users. 
libbpf -- libbpf libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) not vet CVE-2021-45941 
P P in __bpf_object__open (called from bpf_object__open_mem and 2022-01-01 ees MISC 
bpf-object-fuzzer.c). MISC 
libbpf -- libbpf libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) not vat CVE-2021-45940 
p P in __bpf_object__open (called from bpf_object__open_mem and 2022-01-01 aicid MISC 
bpf-object-fuzzer.c). MISC 
libjxl bO2d6b9, as used in libvips 8.11 through 8.11.2 and other oo 
libixl -- libixl products, has an out-of-bounds write in not yet MISC 
J J jxl::ModularFrameDecoder::DecodeGroup (called from 2022-01-01 y REA 
ra tee i calculated |MISC 
jxl::FrameDecoder::ProcessACGroup and MISC 
jxl::ThreadPool::RunCallState<jxl::FrameDecoder::ProcessSectiong). MISC 
libredwa = libredw LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds ñotvet CVE-2021-45950 
9 g write in dwg_free_BLOCK_private (called from dwg_free_BLOCK || 2022-01-01 y MISC 
- calculated 
and dwg_free_object). MISC 
In the IPv6 implementation in the Linux kernel before 5.13.3, 
linux -- linux kernel net/ipv6/output_core.c has an information leak because of certain nat vet oo 
= use of a hash table which, although big, doesn't properly consider |} 2021-12-25 erie MISC 
that IPv6-based attackers can typically choose among many IPv6 MISC 
source addresses. Poa 
lint =dinux: Kerei An issue was discovered in the Linux kernel before 5.15.11. There Aatvet CVE-2021-45480 
= is a memory leak in the __rds_conn_create() function in 2021-12-24 Gacuicd MISC 
net/rds/connection.c in a certain combination of circumstances. MISC 
linux -- linux kernel In the IPv4 implementation in the Linux kernel before 5.12.4, Rotvet vi e 
= net/ipv4/route.c has an information leak because the hash table is | 2021-12-25 ence MISC 
very small. MISC 
livehelberchat=- livehaloarchat livehelperchat is vulnerable to Improper Neutralization of Input 2021-12-29 not yet oo 
P P During Web Page Generation ('Cross-site Scripting’) calculated |R Anit 
CONFIRM 
: : ae CVE-2021-4176 
; Si livehelperchat is vulnerable to Improper Neutralization of Input AD notyet isane 
VERRI ENA a i enelpereies During Web Page Generation ('Cross-site Scripting’) 2022 a3 calculated e 
liveheiperchat— livehelberchat livehelperchat is vulnerable to Generation of Error Message 2021-12-28 not yet oe 
P P Containing Sensitive Information calculated |R Anit 
CONFIRM 
livehelberchat-<llivehelberchat livehelperchat is vulnerable to Improper Neutralization of Input 2021-12-28 not yet oe 
P p During Web Page Generation ('Cross-site Scripting’) calculated |R Anit 
CONFIRM 
licms -- ljems An issue in the user login box of LJCMS v1.11 allows attackers to 2021-12-27 not yet |CVE-2020-21237 
hijack user accounts via brute force attacks. calculated |MISC 
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R6350 before 1.1.0.84, R6700v2 before 1.1.0.84, R6800 before 
1.1.0.84, R6850 before 1.1.0.84, R6900v2 before 1.1.0.84, R7200 
before 1.1.0.84, R7350 before 1.1.0.84, R7400 before 1.1.0.84, 
and R7450 before 1.1.0.84. 

















Primary ae j CVSS Source & Patch 
Vendor -- Product Description Published | Score Info 
T A Broken or Risky Cryptographic Algorithm exists in Max Mazurov CVE-2021-42583 
mae Nisan e maddy Maddy before 0.5.2, which is an unnecessary risk that may result || 2021-12-28 Be i q MISC 
in the exposure of sensitive information. MISC 
MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer Het vet —o 
mdbtools -- mdbtools overflow (at 0x7ffdO0c689be0) in mdb_numeric_to_string (called 2022-01-01 y E. 
: calculated |MISC 
from mdb_xfer_bound_data and _mdb_attempt_bind). MISC 
mdbtools = mdbtools MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer nat vet “eo 
overflow (at 0x7ffd6e029ee0) in mdb_numeric_to_string (called 2022-01-01 Pei ted MISC 
from mdb_xfer_bound_data and _mdb_attempt_bind). MISC 
Mermaid is a Javascript based diagramming and charting tool that 
uses Markdown-inspired text definitions and a renderer to create CVE-2021-43861 
mermaid -- mermaid and modify complex diagrams. Prior to version 8.13.8, malicious not yet MISC 
: ; : : ; A 2021-12-30 
diagrams can run javascript code at diagram readers' machines. calculated ||MISC 
Users should upgrade to version 8.13.8 to receive a patch. There CONFIRM 
are no known workarounds aside from upgrading. 
microsoft -- sharepoint . : : ae a not yet |CVE-2021-43876 
Microsoft SharePoint Elevation of Privilege Vulnerability. 2021-12-29 calculated MISC 
Changing MOTP (Mobile One Time Password) system's specific 
motp -- motp function parameter has insufficient validation for user input. A 2021-12-29 not yet |(CVE-2021-44161 
attacker in local area network can perform SQL injection attack to calculated |MISC 
read, modify or delete backend database without authentication. 
The affected products contain vulnerable firmware, which could 
moxa -- multiple_mgate_products __|allow an attacker to sniff the traffic and decrypt login credential 2021-12-27 not yet ||CVE-2021-4161 
details. This could give an attacker admin rights through the HTTP calculated |MISC 
web server. 
CVE-2021-4188 
mrupy=mruby mruby is vulnerable to NULL Pointer Dereference 2021-12-30 || TOLyet MISC 
CONFIRM 
netbsd -- netbsd In NetBSD through 9.2, the IPv4 ID generation algorithm does not 2021-12-25 not yet e aee 
use appropriate cryptographic measures. calculated MISC 
netbsd -- netbsd In NetBSD through 9.2, the IPv6 fragment ID generation algorithm not yet LVE 2041-40404 
; 2021-12-25 MISC 
employs a weak cryptographic PRNG. calculated MISC 
netbsd -- netbsd In NetBSD through 9.2, the IPv6 Flow Label generation algorithm not yet CVE-2021-45489 
; 2021-12-25 MISC 
employs a weak cryptographic PRNG. calculated MISC 
netbsd -- netbsd In NetBSD through 9.2, there is an information leak in the TCP not yet CVE-2021-45488 
. 2021-12-25 MISC 
ISN (ISS) generation algorithm. calculated MISC 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects AC2100 before 1.2.0.88, 
AC2400 before 1.2.0.88, AC2600 before 1.2.0.88, D7000 before 
netaear =- ac2100- firmware 1.0.1.82, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 not vet CVE-2021-45534 
g = before 1.1.0.84, R6330 before 1.1.0.84, R6350 before 1.1.0.84, 2021-12-26 Pe tee MISC 
R6700v2 before 1.2.0.88, R6800 before 1.2.0.88, R6850 before MISC 
1.1.0.84, R6900v2 before 1.2.0.88, R7200 before 1.2.0.88, R7350 
before 1.2.0.88, R7400 before 1.2.0.88, and R7450 before 
1.2.0.88. 
Certain NETGEAR devices are affected by authentication bypass. 
This affects AC2100 before 2021-08-27, AC2400 before 2021-08- 
27, AC2600 before 2021-08-27, D7000 before 2021-08-27, R6220 
; before 2021-08-27, R6230 before 2021-08-27, R6260 before 
netgear = 462100 _1imware 2021-08-27, R6330 before 2021-08-27, R6350 before 2021-08-27,| 2021-12-26 || not yet  (CVE-2021-45511 
R6700v2 before 2021-08-27, R6800 before 2021-08-27, R6850 = 
before 2021-08-27, R6900v2 before 2021-08-27, R7200 before 
2021-08-27, R7350 before 2021-08-27, R7400 before 2021-08-27, 
and R7450 before 2021-08-27. 
Certain NETGEAR devices are affected by authentication bypass. 
This affects AC2400 before 1.1.0.84, AC2600 before 1.1.0.84, 
D7000 before 1.0.1.82, R6020 before 1.0.0.52, R6080 before 
; 1.0.0.52, R6120 before 1.0.0.80, R6220 before 1.1.0.110, R6230 
netgear = ac2400 firmware before 1.1.0.110, R6260 before 1.1.0.84, R6330 before 1.1.0.84, | 2021-12-26 | Tote!  OvE-2021-45501 
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Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX7500 before 
1.0.0.72, R6400 before 1.0.1.68, R6900P before 1.3.2.132, R7000 
before 1.0.11.116, R7000P before 1.3.2.132, R7900 before 
1.0.4.38, R7960P before 1.4.1.66, R8000 before 1.0.4.66, 
RAX200 before 1.0.3.106, RS400 before 1.5.1.80, XR300 before 
1.0.3.68, MK62 before 1.0.6.110, MR60 before 1.0.6.110, 
R6400v2 before 1.0.4.106, R8000P before 1.4.1.66, RAX20 
before 1.0.2.64, RAX45 before 1.0.2.82, RAX80 before 1.0.3.106, 
MS60 before 1.0.6.110, R6700v3 before 1.0.4.106, R7900P 
before 1.4.1.66, RAX15 before 1.0.2.64, RAX50 before 1.0.2.82, 
RAX75 before 1.0.3.106, RBR750 before 3.2.16.22, RBR850 
before 3.2.16.22, RBS750 before 3.2.16.22, RBS850 before 
3.2.16.22, RBK752 before 3.2.16.22, and RBK852 before 
3.2.16.22. 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR40 before 2.5.0.24, 2021-12-26 not yet |CVE-2021-45598 
CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 calculated ||MISC 

before 3.2.17.12, and RBS850 before 3.2.17.12. 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, RBR850 before 3.2.17.12, RBS850 
before 3.2.17.12, and RBS850 before 3.2.17.12. 


Certain NETGEAR devices are affected by reflected XSS. This 
affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.32, EAX80 
before 1.0.1.62, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, 
EX7000 before 1.0.1.104, EX7500 before 1.0.0.72, R7000 before 
1.0.11.110, R7900 before 1.0.4.30, R7960P before 1.4.1.66, 
R8000 before 1.0.4.62, RAX200 before 1.0.2.102, XR300 before 
1.0.3.50, EX3700 before 1.0.0.90, MR60 before 1.0.5.102, 
netgear -- cbr40_ firmware R7000P before 1.3.2.126, R8000P before 1.4.1.66, RAX20 before |} 2021-12-26 
1.0.1.64, RAX50 before 1.0.2.28, RAX80 before 1.0.3.102, 
EX3800 before 1.0.0.90, MS60 before 1.0.5.102, R6900P before 
1.3.2.126, R7900P before 1.4.1.66, RAX15 before 1.0.1.64, 
RAX45 before 1.0.2.28, RAX75 before 1.0.3.102, RBR750 before 
3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, 
RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 
before 3.2.16.6. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, R7900P before 1.4.2.84, R7960P before 
1.4.2.84, R8000P before 1.4.2.84, R8300 before 1.0.2.154, R8500|) 2021-12-26 
before 1.0.2.154, RBK752 before 3.2.17.12, RBR750 before 
3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, 
RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, EAX20 before 1.0.0.58, EAX80 before 
1.0.1.68, EX7500 before 1.0.0.74, LAX20 before 1.1.6.28, MK62 
before 1.0.6.116, MR60 before 1.0.6.116, MS60 before 1.0.6.116, 
R6400 before 1.0.1.70, R6400v2 before 1.0.4.118, R6700v3 
before 1.0.4.118, R6900P before 1.3.3.140, R7000 before 
1.0.11.116, R7000P before 1.3.3.140, R7850 before 1.0.5.68, 
netgear -- cbr40_ firmware R7900 before 1.0.4.38, R7900P before 1.4.2.84, R7960P before 
1.4.2.84, R8000 before 1.0.4.68, R8000P before 1.4.2.84, RAX15 
before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 
1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 1.0.3.96, 
RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 before 
1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, 
RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 
before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 
3.2.17.12, RBS850 before 3.2.17.12, RS400 before 1.5.1.80, 
XR1000 before 1.0.0.58, and XR300 before 1.0.3.68. 


not yet |CVE-2021-45617 


2021-12-26 || calculated |IMISC 


netgear -- cbr40_ firmware 








netgear -- cbr40_ firmware 








notyet ||CVE-2021-45597 


2021-12-26 || calculated |IMISC 


netgear -- cbr40_ firmware 








not yet |CVE-2021-45639 
calculated |MISC 








netgear -- cbr40_ firmware not yet |CVE-2021-45615 


calculated ||MISC 








notyet |CVE-2021-45622 


2021-12-26 || calculated |IMISC 
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Certain NETGEAR devices are affected by stored XSS. This 
affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 
before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, 
EX7500 before 1.0.0.72, R7960P before 1.4.1.66, RAX200 before 
1.0.3.106, RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, 
EX3700 before 1.0.0.90, MR60 before 1.0.6.110, R8000P before 
1.4.1.66, RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 || 2021-12-26 
before 1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, 
R7900P before 1.4.1.66, RAX15 before 1.0.2.82, RAX50 before 
1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, 
RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 
before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 
3.2.16.6. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
netgear -- cbr40_ firmware CBR750 before 3.2.18.2, RBK752 before 3.2.17.12, RBR750 
before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 
3.2.17.12, RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, 
RBS4OV before 2.6.2.4, and RBW30 before 2.6.2.2. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
netgear -- cbr40_ firmware CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 
before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 
3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
netgear -- cbr40_ firmware CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 
before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 
3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, EAX20 before 1.0.0.58, EAX80 before 
1.0.1.68, EX7500 before 1.0.0.74, LAX20 before 1.1.6.28, MK62 
before 1.0.6.116, MR60 before 1.0.6.116, MS60 before 1.0.6.116, 
R6400v2 before 1.0.4.118, R6700v3 before 1.0.4.118, R6900P 
before 1.3.3.140, R7000 before 1.0.11.126, R7000P before 
1.3.3.140, R7850 before 1.0.5.74, R7900 before 1.0.4.46, R7900P 
netgear -- cbr40_ firmware before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, 
R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 
1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, 
RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 
1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 
before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 
3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, 
RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RS400 
before 1.5.1.80, XR1000 before 1.0.0.58, and XR300 before 
1.0.3.68. 


Certain NETGEAR devices are affected by stored XSS. This 
affects CBR40 before 2.5.0.10, EAX80 before 1.0.1.62, EX7500 
before 1.0.0.72, R7900 before 1.0.4.38, R8000 before 1.0.4.68, 
RAX200 before 1.0.4.120, RBS40V before 2.6.1.4, RBW30 before 
2.6.1.4, MR60 before 1.0.6.110, RAX20 before 1.0.2.82, RAX45 
before 1.0.2.72, RAX80 before 1.0.4.120, MS60 before 1.0.6.110, 
RAX15 before 1.0.2.82, RAX50 before 1.0.2.72, RAX75 before 
1.0.4.120, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, 
RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 
3.2.16.6, and RBK852 before 3.2.16.6. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, D7000v2 before 1.0.0.74, LAX20 before 
1.1.6.28, MK62 before 1.0.6.116, MR60 before 1.0.6.116, MS60 
before 1.0.6.116, MR80 before 1.1.2.20, MS80 before 1.1.2.20, 
netgear -- cbr40_ firmware RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 before 
1.0.4.120, RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX43 
before 1.0.3.96, RAX40v2 before 1.0.3.96, RAX35v2 before 
1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, RBS850 before 3.2.17.12, and XR1000 before 1.0.0.58. 


netgear -- cbr40_ firmware not yet ||CVE-2021-45667 


calculated ||MISC 








notyet |CVE-2021-45628 


2021-12-26 || calculated MISC 








not yet ||CVE-2021-45631 


2021-12-26 || calculated ÎMISC 








not yet ||CVE-2021-45630 


2021-12-26 || calculated MISC 








not yet ||CVE-2021-45612 


2021-12-26 || calculated ÎMISC 








not yet ||CVE-2021-45671 


2021-12-26 || calculated MISC 


netgear -- cbr40_firmware 








not yet ||CVE-2021-45613 


2021-12-26 || calculated MISC 
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netgear -- cbr40_firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, EAX20 before 1.0.0.58, EAX80 before 
1.0.1.68, LAX20 before 1.1.6.28, MR60 before 1.0.6.116, MR80 
before 1.1.2.20, MS60 before 1.0.6.116, MS80 before 1.1.2.20, 
MK62 before 1.0.6.116, MK83 before 1.1.2.20, R6400 before 
1.0.1.70, R6400v2 before 1.0.4.106, R6700v3 before 1.0.4.106, 
R6900P before 1.3.3.140, R7000 before 1.0.11.126, R7000P 
before 1.3.3.140, R7850 before 1.0.5.74, R7900 before 1.0.4.46, 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 
1.0.4.74, R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 
before 1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 
1.0.3.96, RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, 
RAX45 before 1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 
1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, 
RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 
before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 before 
3.2.17.12, RS400 before 1.5.1.80, XR1000 before 1.0.0.58, and 
XR300 before 1.0.3.68. 


2021-12-26 


not yet 
calculated 


CVE-2021-45620 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects CBR40 before 2.3.5.12, D7000v2 
before 1.0.0.66, D8500 before 1.0.3.58, R6400 before 1.0.1.70, 
R7000 before 1.0.11.126, R6900P before 1.3.2.124, R7000P 
before 1.3.2.124, R7900 before 1.0.4.30, R8000 before 1.0.4.52, 
and WNR3500Lv2 before 1.2.0.62. 


2021-12-26 


not yet 
calculated 


CVE-2021-45529 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, 
RBW30 before 2.6.2.2, RBK752 before 3.2.17.12, RBR750 before 
3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, 
RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, and 
RBS40V before 2.6.2.8. 


2021-12-26 


not yet 
calculated 


CVE-2021-45507 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by stored XSS. This 
affects CBR40 before 2.5.0.10, EAX80 before 1.0.1.64, EX3700 
before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, 
EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 
2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, 
RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 
before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 
2.6.1.4. 


2021-12-26 


not yet 
calculated 


CVE-2021-45666 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR40 before 2.5.0.24, 
CBR750 before 3.2.18.2, EAX20 before 1.0.0.58, EAX80 before 
1.0.1.68, EX3700 before 1.0.0.94, EX3800 before 1.0.0.94, 
EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, EX7000 before 
1.0.1.104, EX7500 before 1.0.0.74, LAX20 before 1.1.6.28, MR60 
before 1.0.6.116, MS60 before 1.0.6.116, R6300v2 before 
1.0.4.52, R6400 before 1.0.1.70, R6400v2 before 1.0.4.106, 
R6700v3 before 1.0.4.106, R6900P before 1.3.3.140, R7000 
before 1.0.11.126, R7000P before 1.3.3.140, R7100LG before 
1.0.0.72, R7850 before 1.0.5.74, R7900 before 1.0.4.46, R7900P 
before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, 
R8000P before 1.4.2.84, R8300 before 1.0.2.154, R8500 before 
1.0.2.154, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, 
RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 
before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, 
RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 
1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, 
RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 
before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 
3.2.17.12, RBS850 before 3.2.17.12, RBS850 before 3.2.17.12, 
RS400 before 1.5.1.80, XR1000 before 1.0.0.58, and XR300 
before 1.0.3.68. 


2021-12-26 


not yet 
calculated 


CVE-2021-45621 
MISC 








netgear -- cbr40_ firmware 











Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, 
RBR852 before 3.2.17.12, RBR850 before 3.2.17.12, and 
RBS850 before 3.2.17.12. 








2021-12-26 





not yet 
calculated 








CVE-2021-45504 
MISC 
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netgear -- cbr40_firmware 


Certain NETGEAR devices are affected by stored XSS. This 
affects CBR40 before 2.5.0.10, EAX20 before 1.0.0.48, EAX80 
before 1.0.1.64, EX6120 before 1.0.0.64, EX6130 before 1.0.0.44, 
EX7500 before 1.0.0.72, R7000 before 1.0.11.116, R7900 before 
1.0.4.38, R8000 before 1.0.4.68, RAX200 before 1.0.3.106, 
RBS40V before 2.6.1.4, RBW30 before 2.6.1.4, EX3700 before 
1.0.0.90, MR60 before 1.0.6.110, R7000P before 1.3.2.126, 
RAX20 before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 
1.0.3.106, EX3800 before 1.0.0.90, MS60 before 1.0.6.110, 
R6900P before 1.3.2.126, RAX15 before 1.0.2.82, RAX50 before 
1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, 
RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 
before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45670 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, and RBR850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45508 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR40 before 2.5.0.24, RBK752 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 
before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45509 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 
before 3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45601 
MISC 








netgear -- cbr40_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR40 before 2.5.0.24, 
CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR8&50 
before 3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45599 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 
before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45627 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR750 before 4.6.3.6, 
RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 
before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45600 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 
before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45506 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 
before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45503 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 
before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 before 
3.2.17.12, and RBK852 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45633 
MISC 








netgear -- cbr750_ firmware 








Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an authenticated user. This affects CBR750 before 
3.2.18.2, D6220 before 1.0.0.68, D6400 before 1.0.0.102, D8500 
before 1.0.3.60, LAX20 before 1.1.6.28, MK62 before 1.0.6.116, 
MR60 before 1.0.6.116, MS60 before 1.0.6.116, R6300v2 before 
1.0.4.50, R6400 before 1.0.1.68, R6400v2 before 1.0.4.118, 
R6700v3 before 1.0.4.118, R6900P before 1.3.3.140, R7000 
before 1.0.11.116, R7000P before 1.3.3.140, R7850 before 
1.0.5.68, R7900 before 1.0.4.38, R7900P before 1.4.2.84, 
R7960P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 
1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 
before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 
1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 
before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 
1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 
before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 





1.5.1.80, and XR1000 before 1.0.0.58. 








2021-12-26 





not yet 
calculated 





CVE-2021-45604 
MISC 
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netgear -- cbr750_firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 
before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45505 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45596 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45502 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45632 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45634 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45635 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 3.2.18.2, 
LAX20 before 1.1.6.28, MK62 before 1.0.6.116, MR60 before 
1.0.6.116, MS60 before 1.0.6.116, R6900P before 1.3.3.140, 
R7000 before 1.0.11.126, R7000P before 1.3.3.140, R7850 before 
1.0.5.68, R7900 before 1.0.4.46, R7900P before 1.4.2.84, 
R7960P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 
1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 1.0.3.96, RAX200 
before 1.0.4.120, RAX35v2 before 1.0.3.96, RAX40v2 before 
1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 1.0.3.96, RAX50 
before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 before 
1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, 
RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 
before 3.2.17.12, RBS850 before 3.2.17.12, RS400 before 
1.5.1.80, and XR1000 before 1.0.0.58. 


2021-12-26 


not yet 
calculated 


CVE-2021-45616 
MISC 








netgear -- cbr750_ firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects CBR750 before 4.6.3.6, 
RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 
before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 
3.2.17.12, and RBS850 before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45629 
MISC 








netgear -- d3600_firmware 








Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects D3600 before 1.0.0.76, D6000 
before 1.0.0.78, D6100 before 1.0.0.63, D6220 before 1.0.0.52, 
D6400 before 1.0.0.86, D7800 before 1.0.1.56, D8500 before 
1.0.3.44, DGN2200Bv4 before 1.0.0.109, DGN2200v4 before 
1.0.0.110, R6250 before 1.0.4.34, R6300v2 before 1.0.4.34, 
R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R6700 before 
1.0.2.6, R6700v3 before 1.0.2.66, R6900 before 1.0.2.4, R6900P 
before 1.3.1.64, R7000 before 1.0.9.42, R7000P before 1.3.1.64, 
R7100LG before 1.0.0.50, R7300 before 1.0.0.70, R7900 before 
1.0.3.8, R7900P before 1.4.1.30, R8000 before 1.0.4.28, R8000P 
before 1.4.1.30, R8300 before 1.0.2.128, R8500 before 1.0.2.128, 
WNDR3400v3 before 1.0.1.24, WNR3500Lv2 before 1.2.0.62, and 





XR500 before 2.3.2.56. 








2021-12-26 





not yet 
calculated 





CVE-2021-45550 
MISC 
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netgear -- d3600_firmware 


Certain NETGEAR devices are affected by incorrect configuration 
of security settings. This affects D3600 before 1.0.0.72, D6000 
before 1.0.0.72, D6200 before 1.1.00.34, D6220 before 1.0.0.52, 
D6400 before 1.0.0.86, D7000 before 1.0.1.74, D7000v2 before 
1.0.0.53, D7800 before 1.0.1.56, D8500 before 1.0.3.44, DC112A 
before 1.0.0.42, DGN2200v4 before 1.0.0.110, DGND2200Bv4 
before 1.0.0.109, DM200 before 1.0.0.61, EX3700 before 
1.0.0.76, EX3800 before 1.0.0.76, EX6120 before 1.0.0.46, 
EX6130 before 1.0.0.28, EX7000 before 1.0.1.78, PR2000 before 
1.0.0.28, R6220 before 1.1.0.100, R6230 before 1.1.0.100, R6250 
before 1.0.4.34, R6300v2 before 1.0.4.34, R6400 before 1.0.1.46, 
R6400v2 before 1.0.2.66, R6700 before 1.0.2.6, R6700v3 before 
1.0.2.66, R6900 before 1.0.2.6, R7000 before 1.0.9.34, R7100LG 
before 1.0.0.50, R7500v2 before 1.0.3.40, R7900P before 
1.4.1.50, R8000P before 1.4.1.50, R8900 before 1.0.4.12, R9000 
before 1.0.4.12, RBK20 before 2.3.0.28, RBK40 before 2.3.0.28, 
RBK50 before 2.3.0.32, RBR20 before 2.3.0.28, RBR40 before 
2.3.0.28, RBR50 before 2.3.0.32, RBS20 before 2.3.0.28, RBS40 
before 2.3.0.28, RBS50 before 2.3.0.32, WN3000RPv2 before 
1.0.0.78, WNDR3400v3 before 1.0.1.24, WNR2000v5 before 
1.0.0.70, WNR2020 before 1.1.0.62, WNR3500Lv2 before 
1.2.0.62, XR450 before 2.3.2.56, and XR500 before 2.3.2.56. 


2021-12-26 


not yet 
calculated 


CVE-2021-45640 
MISC 








netgear -- d3600_firmware 


Certain NETGEAR devices are affected by incorrect configuration 
of security settings. This affects D3600 before 1.0.0.72, D6000 
before 1.0.0.72, D6200 before 1.1.00.34, D6220 before 1.0.0.52, 
D6400 before 1.0.0.86, D7000 before 1.0.1.74, D7000v2 before 
1.0.0.53, D7800 before 1.0.1.56, D8500 before 1.0.3.44, DC112A 
before 1.0.0.42, DGN2200Bv4 before 1.0.0.109, DGN2200v4 
before 1.0.0.110, DM200 before 1.0.0.61, EX3700 before 1.0.0.76, 
EX3800 before 1.0.0.76, EX6120 before 1.0.0.46, EX6130 before 
1.0.0.28, EX7000 before 1.0.1.78, PR2000 before 1.0.0.28, R6220 
before 1.1.0.100, R6230 before 1.1.0.100, R6250 before 1.0.4.34, 
R6300v2 before 1.0.4.34, R6400 before 1.0.1.46, R6400v2 before 
1.0.2.66, R6700v3 before 1.0.2.66, R6700 before 1.0.2.6, R6900 
before 1.0.2.6, R7000 before 1.0.9.34, R7100LG before 1.0.0.50, 
R7500v2 before 1.0.3.40, R7900P before 1.4.1.50, R8000P 
before 1.4.1.50, R8900 before 1.0.4.12, R9000 before 1.0.4.12, 
RBK20 before 2.3.0.28, RBR20 before 2.3.0.28, RBS20 before 
2.3.0.28, RBK40 before 2.3.0.28, RBR40 before 2.3.0.28, RBS40 
before 2.3.0.28, RBK50 before 2.3.0.32, RBR50 before 2.3.0.32, 
RBS50 before 2.3.0.32, WN3000RPv2 before 1.0.0.78, 
WNDR3400v3 before 1.0.1.24, WNR2000v5 before 1.0.0.70, 
WNR2020 before 1.1.0.62, and XR500 before 2.3.2.56. 


2021-12-26 


not yet 
calculated 


CVE-2021-45641 
MISC 








netgear -- d6200_firmware 


Certain NETGEAR devices are affected by Stored XSS. This 
affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 
before 1.0.0.48, R6080 before 1.0.0.48, R6120 before 1.0.0.76, 
R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 
1.1.0.78, R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, 
R6700v2 before 1.2.0.76, R6850 before 1.1.0.78, R7200 before 
1.2.0.76, R7350 before 1.2.0.76, R7400 before 1.2.0.76, R7450 
before 1.2.0.76, AC2100 before 1.2.0.76, AC2400 before 1.2.0.76, 
AC2600 before 1.2.0.76, and RAX40 before 1.0.3.62. 


2021-12-26 


not yet 
calculated 


CVE-2021-45672 
MISC 








netgear -- d6200_firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects D6200 before 1.1.00.40, 
D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 
1.0.0.42, R6050 before 1.0.1.26, JR6150 before 1.0.1.26, R6120 
before 1.0.0.66, R6220 before 1.1.0.110, R6230 before 1.1.0.110, 
R6260 before 1.1.0.64, R6800 before 1.2.0.62, R6700v2 before 
1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, 
AC2100 before 1.2.0.62, AC2400 before 1.2.0.62, AC2600 before 
1.2.0.62, and WNR2020 before 1.1.0.62. 


2021-12-26 


not yet 
calculated 


CVE-2021-45551 
MISC 








netgear -- d6200_firmware 








Certain NETGEAR devices are affected by server-side injection. 
This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, 
R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6050 before 
1.0.1.26, JR6150 before 1.0.1.26, R6120 before 1.0.0.66, R6220 
before 1.1.0.100, R6230 before 1.1.0.100, R6260 before 1.1.0.78, 
R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 
1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, 
AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RBK40 before 
2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 
before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, 
RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 
2.5.1.16, and RBS5OY before 2.6.1.40. 











2021-12-26 





not yet 
calculated 





CVE-2021-45656 
MISC 
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Certain NETGEAR devices are affected by server-side injection. 
This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, 
R6020 before 1.0.0.48, R6080 before 1.0.0.48, R6050 before 
1.0.1.26, JR6150 before 1.0.1.26, R6120 before 1.0.0.66, R6220 
before 1.1.0.100, R6230 before 1.1.0.100, R6260 before 1.1.0.78, 
netgear -- d6200_firmware R6800 before 1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 
1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, 
AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, RBK40 before 
2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 
before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, 
RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 
2.5.1.16, RBS50Y before 2.6.1.40, and WNR2020 before 1.1.0.62. 


NETGEAR D6220 devices before 1.0.0.76 are affected by 
command injection by an authenticated user. 


Certain NETGEAR devices are affected by a buffer overflow by an 
unauthenticated attacker. This affects D6220 before 1.0.0.66, 
D6400 before 1.0.0.100, D7000v2 before 1.0.0.66, D8500 before 
1.0.3.58, DC112A before 1.0.0.52, DGN2200v4 before 1.0.0.118, 
EAX80 before 1.0.1.64, R6250 before 1.0.4.48, R7000 before 
1.0.11.110, R7100LG before 1.0.0.72, R7900 before 1.0.4.30, 
R7960P before 1.4.1.64, R8000 before 1.0.4.62, RAX200 before 2021-12-26 
1.0.3.106, RS400 before 1.5.1.80, XR300 before 1.0.3.68, 
R6400v2 before 1.0.4.106, R7000P before 1.3.2.132, R8000P 
before 1.4.1.64, RAX20 before 1.0.2.82, RAX45 before 1.0.2.82, 
RAX80 before 1.0.3.106, R6700v3 before 1.0.4.106, R6900P 
before 1.3.2.132, R7900P before 1.4.1.64, RAX15 before 
1.0.2.82, RAX50 before 1.0.2.82, and RAX75 before 1.0.3.106. 


Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an unauthenticated attacker. This affects D6220 
before 1.0.0.68, D6400 before 1.0.0.102, D7000v2 before 
netgear -- d6220_firmware 1.0.0.74, D8500 before 1.0.3.60, DC112A before 1.0.0.56, 
R6300v2 before 1.0.4.50, R6400 before 1.0.1.68, R7000 before 
1.0.11.116, R7100LG before 1.0.0.70, RBS40V before 2.6.2.8, 
RBW30 before 2.6.2.2, RS400 before 1.5.1.80, R7000P before 
1.3.2.132, and R6900P before 1.3.2.132. 


Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects D6220 before 1.0.0.68, D6400 
before 1.0.0.102, D7000v2 before 1.0.0.66, D8500 before 
1.0.3.58, DC112A before 1.0.0.54, EX7000 before 1.0.1.94, 
EX7500 before 1.0.0.72, R6250 before 1.0.4.48, R6300v2 before 
1.0.4.52, R6400 before 1.0.1.70, R6400v2 before 1.0.4.102, 
R6700v3 before 1.0.4.102, R7000 before 1.0.11.116, R7100LG 
before 1.0.0.64, R7850 before 1.0.5.68, R7900 before 1.0.4.30, 
R7960P before 1.4.1.68, R8000 before 1.0.4.52, RAX200 before 2021-12-26 
1.0.2.88, RBS40V before 2.6.2.4, RS400 before 1.5.1.80, XR300 
before 1.0.3.56, R7000P before 1.3.2.124, R8000P before 
1.4.1.68, R8500 before 1.0.2.144, RAX80 before 1.0.3.102, 
R6900P before 1.3.2.124, R7900P before 1.4.1.68, R8300 before 
1.0.2.144, RAX75 before 1.0.3.102, RBR750 before 3.2.17.12, 
RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, RBS850 
before 3.2.17.12, RBK752 before 3.2.17.12, and RBK852 before 
3.2.17.12. 


not yet ||CVE-2021-45657 


2021-12-26 || calculated MISC 








not yet ||CVE-2021-45531 


2021-12-26 || calculated ÎMISC 


netgear -- d6220_firmware 








netgear -- d6220_firmware not yet CVE-2021-45610 


calculated ||MISC 








not yet CVE-2021-45638 


2021-12-26 || calculated ÎMISC 








netgear -- d6220_firmware not yet |CVE-2021-45527 


calculated ||MISC 












































2 NETGEAR D7000 devices before 1.0.1.82 are affected by not yet |CVE-2021-45497 
netgear -- d7000_firmware authentication bypass. 2021-12-26 || calculated MISC 
netgear -- d7000_firmware NETGEAR D7000 devices before 1.0.1.68 are affected by 2021-12-26 not yet |CVE-2021-45495 
authentication bypass. calculated ||MISC 
: NETGEAR D7000 devices before 1.0.1.82 are affected by not yet |CVE-2021-45496 
netgear -- d7000_firmware authentication bypass. 2021-12-26 || calculated [MISC 
; NETGEAR D7000 devices before 1.0.1.82 are affected by a stack- not yet ||CVE-2021-45636 
netgear a7 000 firmware based buffer overflow by an unauthenticated attacker. 2021-12-26 || calculated MISC 
Certain NETGEAR devices are affected by weak cryptography. 
This affects D7000v2 before 1.0.0.62, D8500 before 1.0.3.50, 
EX3700 before 1.0.0.84, EX3800 before 1.0.0.84, EX6120 before 
1.0.0.54, EX6130 before 1.0.0.36, EX7000 before 1.0.1.90, R6250 
netgear -- d7000v2_firmware before 1.0.4.42, R6400v2 before 1.0.4.98, R6700v3 before 2021-12-26 not yet ||CVE-2021-45512 


1.0.4.98, R6900P before 1.3.2.124, R7000 before 1.0.11.106, 
R7000P before 1.3.2.124, R7100LG before 1.0.0.56, R7900 
before 1.0.4.26, R8000 before 1.0.4.58, R8300 before 1.0.2.134, 
R8500 before 1.0.2.134, RS400 before 1.5.0.48, WNR3500Lv2 
before 1.2.0.62, and XR300 before 1.0.3.50. 


calculated ||MISC 
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netgear -- d7000v2_firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects D7000v2 before 
1.0.0.74, LAX20 before 1.1.6.28, MK62 before 1.0.6.116, MR60 
before 1.0.6.116, MS60 before 1.0.6.116, RAX15 before 1.0.3.96, 
RAX20 before 1.0.3.96, RAX200 before 1.0.4.120, RAX45 before 
1.0.3.96, RAX50 before 1.0.3.96, RAX43 before 1.0.3.96, 
RAX40v2 before 1.0.3.96, RAX35v2 before 1.0.3.96, RAX75 
before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 
3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, 
RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, RBS850 
before 3.2.17.12, and XR1000 before 1.0.0.58. 


2021-12-26 


not yet 
calculated 


CVE-2021-45614 
MISC 








netgear -- d7800_ firmware 


Certain NETGEAR devices are affected by server-side injection. 
This affects D7800 before 1.0.1.58, DM200 before 1.0.0.66, 
EX2700 before 1.0.1.56, EX6150v2 before 1.0.1.86, EX6100v2 
before 1.0.1.86, EX6200v2 before 1.0.1.78, EX6250 before 
1.0.0.110, EX6410 before 1.0.0.110, EX6420 before 1.0.0.110, 
EX6400v2 before 1.0.0.110, EX7300 before 1.0.2.144, EX6400 
before 1.0.2.144, EX7320 before 1.0.0.110, EX7300v2 before 
1.0.0.110, R7500v2 before 1.0.3.48, R7800 before 1.0.2.68, 
R8900 before 1.0.5.2, R9000 before 1.0.5.2, RAX120 before 
1.0.1.90, RBK40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 
before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, 
RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, RBS50Y before 
2.6.1.40, WN3000RPv2 before 1.0.0.78, WN3000RPv3 before 
1.0.2.80, WNR2000v5 before 1.0.0.72, XR500 before 2.3.2.56, 
and XR700 before 1.0.1.20. 


2021-12-26 


not yet 
calculated 


CVE-2021-45658 
MISC 








netgear -- d7800_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects D7800 before 1.0.1.66, 
EX2700 before 1.0.1.68, WN3000RPv2 before 1.0.0.90, 
WN3000RPV3 before 1.0.2.100, LBR1020 before 2.6.5.20, LBR20 
before 2.6.5.32, R6700AX before 1.0.10.110, R7800 before 
1.0.2.86, R8900 before 1.0.5.38, R9000 before 1.0.5.38, RAX10 
before 1.0.10.110, RAX120v1 before 1.2.3.28, RAX120v2 before 
1.2.3.28, RAX70 before 1.0.10.110, RAX78 before 1.0.10.110, 
XR450 before 2.3.2.130, XR500 before 2.3.2.130, and XR700 
before 1.0.1.46. 


2021-12-26 


not yet 
calculated 


CVE-2021-45602 
MISC 
MISC 








netgear -- d7800_ firmware 


Certain NETGEAR devices are affected by disclosure of sensitive 
information. A UPnP request reveals a device's serial number, 
which can be used for a password reset. This affects D7800 
before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 before 
1.0.0.90, WN3000RPV3 before 1.0.2.100, LBR1020 before 
2.6.5.20, LBR20 before 2.6.5.32, R6700AX before 1.0.10.110, 
R7800 before 1.0.2.86, R8900 before 1.0.5.38, R9000 before 
1.0.5.38, RAX10 before 1.0.10.110, RAX120v1 before 1.2.3.28, 
RAX120v2 before 1.2.3.28, RAX70 before 1.0.10.110, RAX78 
before 1.0.10.110, XR450 before 2.3.2.130, XR500 before 
2.3.2.130, and XR700 before 1.0.1.46. 


2021-12-26 


not yet 
calculated 


CVE-2021-45603 
MISC 
MISC 








netgear -- d7800_ firmware 


Certain NETGEAR devices are affected by incorrect configuration 
of security settings. This affects D7800 before 1.0.1.64, EX6250 
before 1.0.0.134, EX7700 before 1.0.0.222, LBR20 before 
2.6.3.50, RBS50Y before 2.7.3.22, R8900 before 1.0.5.26, R9000 
before 1.0.5.26, XR450 before 2.3.2.66, XR500 before 2.3.2.66, 
XR700 before 1.0.1.36, EX7320 before 1.0.0.134, RAX120 before 
1.2.2.24, EX7300v2 before 1.0.0.134, RAX120v2 before 1.2.2.24, 
EX6410 before 1.0.0.134, RBR10 before 2.7.3.22, RBR20 before 
2.7.3.22, RBR40 before 2.7.3.22, RBR50 before 2.7.3.22, EX6420 
before 1.0.0.134, RBS10 before 2.7.3.22, RBS20 before 2.7.3.22, 
RBS40 before 2.7.3.22, RBS50 before 2.7.3.22, EX6400v2 before 
1.0.0.134, RBK12 before 2.7.3.22, RBK20 before 2.7.3.22, RBK40 
before 2.7.3.22, and RBK5O before 2.7.3.22. 


2021-12-26 


not yet 
calculated 


CVE-2021-45642 
MISC 








netgear -- d7800_ firmware 








Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects D7800 before 1.0.1.58, 
R7500v2 before 1.0.3.48, R7800 before 1.0.2.68, R8900 before 
1.0.5.2, R9000 before 1.0.5.2, RAX120 before 1.0.1.108, and 





XR700 before 1.0.1.20. 








2021-12-26 





not yet 
calculated 





CVE-2021-45552 
MISC 
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Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects D7800 before 1.0.1.60, DM200 
before 1.0.0.66, EX2700 before 1.0.1.56, EX6150v2 before 
1.0.1.86, EX6200v2 before 1.0.1.86, EX6250 before 1.0.0.128, 
EX6400 before 1.0.2.144, EX6400v2 before 1.0.0.128, EX6410 
before 1.0.0.128, EX6420 before 1.0.0.128, EX7300 before 
netgear -- d7800_firmware 1.0.2.144, EX7300v2 before 1.0.0.128, EX7320 before 1.0.0.128, 2021-12-26 not yet ||CVE-2021-45548 
R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before calculated ||MISC 

1.0.5.26, R9000 before 1.0.5.2, RAX120 before 1.0.1.128, 
WN3000RPVv2 before 1.0.0.78, WN3000RPv3 before 1.0.2.80, 
WNR2000V5 before 1.0.0.74, XR500 before 2.3.2.66, RBK20 
before 2.7.3.22, RBR20 before 2.7.3.22, RBS20 before 2.7.3.22, 
RBK40 before 2.7.3.22, RBR40 before 2.7.3.22, and RBS40 
before 2.7.3.22. 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects D7800 before 1.0.1.64, 
EX6200v2 before 1.0.1.86, EX6250 before 1.0.0.134, EX7700 
before 1.0.0.216, EX8000 before 1.0.1.232, LBR20 before 
2.6.3.50, R7800 before 1.0.2.80, R8900 before 1.0.5.26, R9000 
before 1.0.5.26, RAX120 before 1.2.0.16, RBS50Y before 
1.0.0.56, WNR2000v5 before 1.0.0.76, XR450 before 2.3.2.114, 
XR500 before 2.3.2.114, XR700 before 1.0.1.36, EX6150v2 
before 1.0.1.98, EX7300 before 1.0.2.158, EX7320 before 2021-12-26 
1.0.0.134, EX6100v2 before 1.0.1.98, EX6400 before 1.0.2.158, 
EX7300v2 before 1.0.0.134, EX6410 before 1.0.0.134, RBR10 
before 2.6.1.44, RBR20 before 2.6.2.104, RBR40 before 
2.6.2.104, RBR50 before 2.7.2.102, EX6420 before 1.0.0.134, 
RBS10 before 2.6.1.44, RBS20 before 2.6.2.104, RBS40 before 
2.6.2.104, RBS50 before 2.7.2.102, EX6400v2 before 1.0.0.134, 
RBK12 before 2.6.1.44, RBK20 before 2.6.2.104, RBK40 before 
2.6.2.104, and RBK50 before 2.7.2.102. 


Certain NETGEAR devices are affected by a buffer overflow by an 
netgear -- d7800_ firmware unauthenticated attacker. This affects D7800 before 1.0.1.68, 2021-12-26 
R6400v2 before 1.0.4.122, and R6700v3 before 1.0.4.122. 


Certain NETGEAR devices are affected by a buffer overflow by an 
unauthenticated attacker. This affects D8500 before 1.0.3.58, 
netgear -- d8500_ firmware R6250 before 1.0.4.48, R7000 before 1.0.11.116, R7100LG before 
1.0.0.64, R7900 before 1.0.4.38, R8300 before 1.0.2.144, R8500 
before 1.0.2.144, XR300 before 1.0.3.68, R7000P before 
1.3.2.132, and R6900P before 1.3.2.132. 


Certain NETGEAR devices are affected by a buffer overflow by an 
unauthenticated attacker. This affects DC112A before 1.0.0.52, 
R6400 before 1.0.1.68, RAX200 before 1.0.3.106, WNDR3400v3 
before 1.0.1.38, XR300 before 1.0.3.68, R8500 before 1.0.2.144, 
RAX75 before 1.0.3.106, R8300 before 1.0.2.144, and RAX80 
before 1.0.3.106. 


Certain NETGEAR devices are affected by stored XSS. This 
affects EAX20 before 1.0.0.36, EAX80 before 1.0.1.62, EX3700 
before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, 
netgear -- eax20_ firmware EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, RBW30 before 
2.6.1.4, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, 
RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 
before 3.2.16.6, RBS850 before 3.2.16.6, and RBS40V before 
2.6.1.4. 


Certain NETGEAR devices are affected by stored XSS. This 
affects EAX20 before 1.0.0.48, EAX80 before 1.0.1.64, EX3700 
before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, 
EX6130 before 1.0.0.44, EX7500 before 1.0.0.72, R7960P before 
1.4.1.66, R7900P before 1.4.1.66, R8000P before 1.4.1.66, 
RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 
1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 
before 1.0.3.106, and RAX80 before 1.0.3.106. 








netgear -- d7800_ firmware not yet ||CVE-2021-45618 


calculated ||MISC 








not yet ||CVE-2021-45608 
calculated |MISC 








not yet |CVE-2021-45609 


2021-12-26 || calculated |IMISC 








not yet |CVE-2021-45611 


2021-12-26 || calculated MISC 


netgear -- dc112a_firmware 








not yet ||CVE-2021-45665 


2021-12-26 || calculated MISC 








not yet ||CVE-2021-45668 


2021-12-26 || calculated ÎMISC 


netgear -- eax20_firmware 
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netgear -- eax80_firmware 


Certain NETGEAR devices are affected by disclosure of sensitive 
information. This affects EAX80 before 1.0.1.62, EX7000 before 
1.0.1.104, R6120 before 1.0.0.76, R6220 before 1.1.0.110, R6230 
before 1.1.0.110, R6260 before 1.1.0.78, R6850 before 1.1.0.78, 
R6350 before 1.1.0.78, R6330 before 1.1.0.78, R6800 before 
1.2.0.76, R6900v2 before 1.2.0.76, R6700v2 before 1.2.0.76, 
R7000 before 1.0.11.116, R6900P before 1.3.3.140, R7000P 
before 1.3.3.140, R7200 before 1.2.0.76, R7350 before 1.2.0.76, 
R7400 before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 
1.2.0.76, AC2400 before 1.2.0.76, AC2600 before 1.2.0.76, 
R7900 before 1.0.4.38, R7960P before 1.4.1.66, R8000 before 
1.0.4.68, R7900P before 1.4.1.66, R8000P before 1.4.1.66, 
RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, RAX200 before 
1.0.3.106, RAX45 before 1.0.2.72, RAX50 before 1.0.2.72, RAX75 
before 1.0.3.106, and RAX80 before 1.0.3.106. 


2021-12-26 


not yet 
calculated 


CVE-2021-45647 
MISC 








netgear -- ex6000_ firmware 


Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects EX6000 before 1.0.0.38, EX6120 
before 1.0.0.48, EX6130 before 1.0.0.30, R6300v2 before 
1.0.4.52, R6400 before 1.0.1.52, R7000 before 1.0.11.126, R7900 
before 1.0.4.30, R8000 before 1.0.4.52, R7000P before 1.3.2.124, 
R8000P before 1.4.1.50, RAX80 before 1.0.3.88, R6900P before 
1.3.2.124, R7900P before 1.4.1.50, and RAX75 before 1.0.3.88. 


2021-12-26 


not yet 
calculated 


CVE-2021-45526 
MISC 








netgear -- ex6100v2_ firmware 


Certain NETGEAR devices are affected by disclosure of sensitive 
information. This affects EX6100v2 before 1.0.1.106, EX6150v2 
before 1.0.1.106, EX6250 before 1.0.0.146, EX6400 before 
1.0.2.164, EX6400v2 before 1.0.0.146, EX6410 before 1.0.0.146, 
EX6420 before 1.0.0.146, EX7300 before 1.0.2.164, EX7300v2 
before 1.0.0.146, EX7320 before 1.0.0.146, EX7700 before 
1.0.0.222, LBR1020 before 2.6.5.16, LBR20 before 2.6.5.2, 
RBK352 before 4.3.4.7, RBK50 before 2.7.3.22, RBR350 before 
4.3.4.7, RBR50 before 2.7.3.22, and RBS350 before 4.3.4.7. 


2021-12-26 


not yet 
calculated 


CVE-2021-45648 
MISC 








netgear -- ex6120_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects EX6120 before 1.0.0.66, 
EX6130 before 1.0.0.46, EX7000 before 1.0.1.106, EX7500 
before 1.0.1.76, EX3700 before 1.0.0.94, EX3800 before 1.0.0.94, 
RBR850 before 4.6.3.9, RBS850 before 4.6.3.9, and RBK852 
before 4.6.3.9. 


2021-12-26 


not yet 
calculated 


CVE-2021-45533 
MISC 








netgear -- ex6200v2_firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects EX6200v2 before 
1.0.1.86, EX6250 before 1.0.0.134, EX7700 before 1.0.0.216, 
EX8000 before 1.0.1.232, LBR1020 before 2.6.3.58, LBR20 
before 2.6.3.50, R7800 before 1.0.2.80, R8900 before 1.0.5.26, 
R9000 before 1.0.5.26, RBS50Y before 2.7.3.22, WNR2000v5 
before 1.0.0.76, XR700 before 1.0.1.36, EX6150v2 before 
1.0.1.98, EX7300 before 1.0.2.158, EX7320 before 1.0.0.134, 
RAX10 before 1.0.2.88, RAX120 before 1.2.0.16, RAX70 before 
1.0.2.88, EX6100v2 before 1.0.1.98, EX6400 before 1.0.2.158, 
EX7300v2 before 1.0.0.134, R6700AX before 1.0.2.88, RAX120v2 
before 1.2.0.16, RAX78 before 1.0.2.88, EX6410 before 1.0.0.134, 
RBR10 before 2.7.3.22, RBR20 before 2.7.3.22, RBR350 before 
4.3.4.7, RBR40 before 2.7.3.22, RBR50 before 2.7.3.22, EX6420 
before 1.0.0.134, RBS10 before 2.7.3.22, RBS20 before 2.7.3.22, 
RBS350 before 4.3.4.7, RBS40 before 2.7.3.22, RBS50 before 
2.7.3.22, EX6400v2 before 1.0.0.134, RBK12 before 2.7.3.22, 
RBK20 before 2.7.3.22, RBK352 before 4.3.4.7, RBK40 before 
2.7.3.22, and RBK50 before 2.7.3.22. 


2021-12-26 


not yet 
calculated 


CVE-2021-45619 
MISC 








netgear -- ex7000_ firmware 


Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects EX7000 before 1.0.1.80, R6400 
before 1.0.1.50, R6400v2 before 1.0.4.118, R6700 before 1.0.2.8, 
R6700v3 before 1.0.4.118, R6900 before 1.0.2.8, R6900P before 
1.3.2.124, R7000 before 1.0.9.88, R7000P before 1.3.2.124, 
R7900 before 1.0.3.18, R7900P before 1.4.1.50, R8000 before 
1.0.4.46, R8000P before 1.4.1.50, RAX80 before 1.0.1.56, and 
WNR3500Lv2 before 1.2.0.62. 


2021-12-26 


not yet 
calculated 


CVE-2021-45525 
MISC 








netgear -- ex7500_ firmware 











Certain NETGEAR devices are affected by denial of service. This 
affects EX7500 before 1.0.0.72, RBS40V before 2.6.1.4, RBW30 
before 2.6.1.4, RBRE960 before 6.0.3.68, RBSE960 before 
6.0.3.68, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, 
RBS750 before 3.2.17.12, RBS850 before 3.2.17.12, RBK752 
before 3.2.17.12, and RBK852 before 3.2.17.12. 








2021-12-26 





not yet 
calculated 








CVE-2021-45515 
MISC 
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netgear -- gc108p_firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects GC108P before 1.0.8.2, 
GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPv3 
before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TUP before 
1.0.5.3, GS710TUP before 1.0.5.3, GS308T before 1.0.3.2, 
GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP 
before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 
2.0.6.3, GS724TPv2 before 2.0.6.3, GS724TPP before 2.0.6.3, 
GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, 
GS752TPv2 before 6.0.8.2, GS752TPP before 6.0.8.2, GS750E 
before 1.0.1.10, MS510TXM before 1.0.4.2, and MS510TXUP 
before 1.0.4.2. 


2021-12-26 


not yet 
calculated 


CVE-2021-45557 
MISC 








netgear -- genie_installer 


All known versions of the Netgear Genie Installer for macOS 
contain a local privilege escalation vulnerability. The installer of 
the macOS version of Netgear Genie handles certain files in an 
insecure way. A malicious actor who has local access to the 
endpoint on which the software is going to be installed may 
overwrite certain files to obtain privilege escalation to root. 


2021-12-30 


calculated 


CVE-2021-20172 
MISC 








netgear -- gs108tv2_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects GS108Tv2 before 5.4.2.36, 
GS110TPP before 7.0.7.2, GS110TPv2 before 5.4.2.36., 
GS110TPv3 before 7.0.7.2, GS308T before 1.0.3.2, GS310TP 
before 1.0.3.2, GS724TPP before 2.0.6.3, GS724TPv2 before 
2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, 
GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, 
MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2. 


2021-12-26 


not yet 
calculated 


not yet 


CVE-2021-45556 
MISC 








netgear -- gs108tv2_ firmware 


Certain NETGEAR devices are affected by stored XSS. This 
affects GS108Tv2 before 5.4.2.36 and GS110TPv2 before 
5.4.2.36. 


2021-12-26 


not yet 
calculated 


CVE-2021-45677 
MISC 








netgear -- lax20_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects LAX20 before 1.1.6.28, MK62 
before 1.1.6.122, MR60 before 1.1.6.122, MS60 before 1.1.6.122, 
R6400v2 before 1.0.4.118, R6700v3 before 1.0.4.118, R6900P 
before 1.3.3.140, R7000 before 1.0.11.116, R7000P before 
1.3.3.140, R7850 before 1.0.5.68, R7900 before 1.0.4.38, R7900P 
before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.68, 
R8000P before 1.4.2.84, RAX15 before 1.0.3.96, RAX20 before 
1.0.3.96, RAX200 before 1.0.4.120, RAX35v2 before 1.0.3.96, 
RAX40v2 before 1.0.3.96, RAX43 before 1.0.3.96, RAX45 before 
1.0.3.96, RAX50 before 1.0.3.96, RAX75 before 1.0.4.120, RAX80 
before 1.0.4.120, RS400 before 1.5.1.80, and XR1000 before 
1.0.0.58. 


2021-12-26 


not yet 
calculated 


CVE-2021-45549 
MISC 








netgear -- lbr20_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects LBR20 before 2.6.3.50, 
RBSSOY before 2.7.3.22, RBR10 before 2.7.3.22, RBR20 before 
2.7.3.22, RBR40 before 2.7.3.22, RBR50 before 2.7.3.22, RBS10 
before 2.7.3.22, RBS20 before 2.7.3.22, RBS40 before 2.7.3.22, 
RBS50 before 2.7.3.22, RBK12 before 2.7.3.22, RBK20 before 
2.7.3.22, RBK40 before 2.7.3.22, and RBK50 before 2.7.3.22. 


2021-12-26 


calculated 


CVE-2021-45595 
MISC 








netgear -- mediatek 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle the WPS (Wi-Fi 
Protected Setup) protocol. 


2021-12-26 


not yet 
calculated 


CVE-2021-32469 
MISC 








netgear -- mediatek 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle the WPS (Wi-Fi 
Protected Setup) protocol. 


2021-12-26 


not yet 
calculated 


CVE-2021-32468 
MISC 








netgear -- mediatek 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle the WPS (Wi-Fi 
Protected Setup) protocol. 


2021-12-26 


not yet 
calculated 


not yet 


CVE-2021-32467 
MISC 








netgear -- mediatek_microchips 


MediaTek microchips, as used in NETGEAR devices through 
2021-12-13 and other devices, mishandle attempts at Wi-Fi 
authentication flooding. 


2021-12-26 


not yet 
calculated 





CVE-2021-41788 
MISC 








netgear -- multiple_devices 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. 


2021-12-26 


not yet 
calculated 





CVE-2021-37571 
MISC 








netgear -- multiple_devices 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. 


2021-12-26 


not yet 
calculated 





CVE-2021-37570 
MISC 








netgear -- multiple_devices 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle the WPS (Wi-Fi 
Protected Setup) protocol. 


2021-12-26 


not yet 
calculated 





CVE-2021-37584 
MISC 








netgear -- multiple_devices 


MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. 


2021-12-26 


not yet 
calculated 





CVE-2021-37566 
MISC 








netgear -- multiple_devices 











MediaTek microchips, as used in NETGEAR devices through 
2021-11-11 and other devices, mishandle the WPS (Wi-Fi 
Protected Setup) protocol. 








2021-12-26 





not yet 
calculated 








CVE-2021-37563 
MISC 











https://content.govdelivery.com/accounts/USDHSCISA/bulletins/303e70e 


19/37 








1/4/22, 3:10 PM 


Vulnerability Summary for the Week of December 27, 2021 



























































































































































R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, AC2100 before 


Primary ae j CVSS Source & Patch 
Vendor -- Product Description Published | Score Info 
MediaTek microchips, as used in NETGEAR devices through 
netgear -- multiple_devices 2021-11-11 and other devices, mishandle the WPS (Wi-Fi 2021-12-26 |} Totyet oo 
Protected Setup) protocol. D 
netgear -- multiple _devices MediaTek microchips, as used in NETGEAR devices through 2021-12-26 not yet ||CVE-2021-37565 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. calculated ||MISC 
netgear -- multiple_devices MediaTek microchips, as used in NETGEAR devices through 2021-12-26 not yet |CVE-2021-37572 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. calculated ||MISC 
MediaTek microchips, as used in NETGEAR devices through 
netgear -- multiple_devices 2021-11-11 and other devices, mishandle the WPS (Wi-Fi 2021-42-26 || oer wee 
Protected Setup) protocol. Laem 
Í ; MediaTek microchips, as used in NETGEAR devices through 
netgear Multiple devices 2021-11-11 and other devices, mishandle the WPS (Wi-Fi 2021-12-26 || No et oo 
Protected Setup) protocol. (Saad 
; . MediaTek microchips, as used in NETGEAR devices through not yet |CVE-2021-37569 
netgear- multpléndevices 2021-11-11 and other devices, mishandle IEEE 1905 protocols. || 2021-12-26 || calculated MISC 
netgear -- multiple_devices MediaTek microchips, as used in NETGEAR devices through 2021-12-26 not yet |CVE-2021-37583 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. calculated ||MISC 
; : MediaTek microchips, as used in NETGEAR devices through not yet |CVE-2021-37568 
neigean -multiple devices 2021-11-11 and other devices, mishandle IEEE 1905 protocols. || 2021-12-26 || calculated MISC 
netgear -- multiple _devices MediaTek microchips, as used in NETGEAR devices through 2021-12-26 not yet ||CVE-2021-37564 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. calculated ||MISC 
MediaTek microchips, as used in NETGEAR devices through 
netgear -- multiple_devices 2021-11-11 and other devices, mishandle the WPS (Wi-Fi 2021-12-26 |} Tot yet wee 
Protected Setup) protocol. RIRA 
netgear -- multiple _devices MediaTek microchips, as used in NETGEAR devices through 2021-12-26 not yet ||CVE-2021-37567 
2021-11-11 and other devices, mishandle IEEE 1905 protocols. calculated ||MISC 
Netgear Nighthawk R6700 version 1.0.4.120 makes use of a 
hardcoded credential. It does not appear that normal users are 
intended to be able to manipulate configuration backups due to 
netgear -- nighthawk the fact that they are encrypted/obfuscated. By extracting the 2021-12-30 not yet ||CVE-2021-45732 
configuration using readily available public tools, a user can calculated ||MISC 
reconfigure settings not intended to be manipulated, repackage 
the configuration, and restore a backup causing these settings to 
be changed. 
Netgear Nighthawk R6700 version 1.0.4.120 does not utilize 
secure communication methods to the web interface. By default, 
netgear -- nighthawk_r6700 all communication to/from the device's web interface is sent via 2021-12-30 ia — 
HTTP, which causes potentially sensitive information (such as e 
usernames and passwords) to be transmitted in cleartext. 
Netgear Nighthawk R6700 version 1.0.4.120 does not utilize 
secure communication methods to the SOAP interface. By default, 
netgear -- nighthawk_r6700 all communication to/from the device's SOAP Interface (port 5000) || 2021-12-30 || getye E NE 
is sent via HTTP, which causes potentially sensitive information —— 
(such as usernames and passwords) to be transmitted in cleartext 
Netgear Nighthawk R6700 version 1.0.4.120 does not have 
sufficient protections for the UART console. A malicious actor with 
netgear -- nighthawk_r6700 physical access to the device is able to connect to the UART port || 2021-12-30 ad ao 
via a serial connection and execute commands as the root user = 
without authentication. 
Netgear Nighthawk R6700 version 1.0.4.120 stores sensitive 
information in plaintext. All usernames and passwords for the 
netgear -- nighthawk_r6700 device's associated services are stored in plaintext on the device. || 2021-12-30 Mia ei e S 
For example, the admin password is stored in plaintext in the -< 
primary configuration file on the device. 
Netgear Nighthawk R6700 version 1.0.4.120 contains a command 
injection vulnerability in update functionality of the device. By 
netgear -- nighthawk_r6700 triggering a system update check via the SOAP interface, the 2021-12-30 is i ema 
device is susceptible to command injection via preconfigured E 
values. 
Certain NETGEAR devices are affected by stored XSS. This 
affects R6120 before 1.0.0.76, R6260 before 1.1.0.78, R6850 
before 1.1.0.78, R6350 before 1.1.0.78, R6330 before 1.1.0.78, 
netgear -- r6120_firmware R6800 before 1.2.0.76, R6700v2 before 1.2.0.76, R6900v2 before | 2021-12-26 | TOtvet wee 
1.2.0.76, R7200 before 1.2.0.76, R7350 before 1.2.0.76, R7400 eee 
before 1.2.0.76, R7450 before 1.2.0.76, AC2100 before 1.2.0.76, 
AC2400 before 1.2.0.76, and AC2600 before 1.2.0.76. 
Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an unauthenticated attacker. This affects R6260 
netgear -- r6260_firmware before 1.1.0.76, R6800 before 1.2.0.62, R6700v2 before 1.2.0.62, | 2021-12-26 | Tor yet | oo 








1.2.0.62, AC2400 before 1.2.0.62, and AC2600 before 1.2.0.62. 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an unauthenticated attacker. This affects R6260 
netgear -- r6260_firmware before 1.1.0.76, R6800 before 1.2.0.62, R6700v2 before 1.2.0.62, | 2021-12-26 | pot yet | a 
R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, AC2100 before a 
1.2.0.62, AC2400 before 1.2.0.62, and AC2600 before 1.2.0.62. 
Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects R6300v2 before 1.0.4.52, R6400 
: before 1.0.1.52, R6900 before 1.0.2.8, R7000 before 1.0.9.88, not yet |CVE-2021-45528 
netgean Fea DONe Mumware R7900 before 1.0.3.18, R8000 before 1.0.4.46, R7900P before | 2021-12-26 || calculated [MISC 
1.4.1.50, R8000P before 1.4.1.50, RAX75 before 1.0.3.88, RAX80 
before 1.0.3.88, and WNR3500Lv2 before 1.2.0.62. 
Certain NETGEAR devices are affected by denial of service. This 
affects R6400 before 1.0.1.70, R7000 before 1.0.11.126, R6900P not vet |ICVE-2021-45516 
netgear -- r6400_firmware before 1.3.3.140, R7000P before 1.3.3.140, R8000 before 2021-12-26 Ai Msc 860OCOC~*” 
1.0.4.74, RBK852 before 3.2.10.11, RBR850 before 3.2.10.11, and TE 
RBS850 before 3.2.10.11. 
; NETGEAR R6400 devices before 1.0.1.70 are affected by server- not yet ||CVE-2021-45655 
netgear -- r6400_firmware side injection. 2021-12-26 calculated MISC 
Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an authenticated user. This affects R6400 before 
1.0.1.70, R7000 before 1.0.11.126, R7900 before 1.0.4.46, 
netgear -- r6400_firmware R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 2021-12-26 not yet ||CVE-2021-45606 
1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, calculated ||MISC 
RS400 before 1.5.1.80, R6400v2 before 1.0.4.118, R7000P before 
1.3.3.140, RAX80 before 1.0.4.120, R6700v3 before 1.0.4.118, 
R6900P before 1.3.3.140, and RAX75 before 1.0.4.120. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R6400 before 1.0.1.74, 
netgear -- r6400_firmware R6400v2 before 1.0.4.118, R6700V3 before 1.0.4.118, R7000 20214226 |) ee e canine 
before 1.0.11.126, R6900P before 1.3.3.140, R7000P before bere 
1.3.3.140, and R8000 before 1.0.4.74. 
Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an authenticated user. This affects R6400 before 
netgear -- r6400_firmware 1.0.1.68, R7000 before 1.0.11.116, R6900P before 1.3.3.140, 2024-42:26 || Tye a 
R7000P before 1.3.3.140, R7900 before 1.0.4.38, RAX75 before m 
1.0.3.102, RAX80 before 1.0.3.102, and XR300 before 1.0.3.50. 
Certain NETGEAR devices are affected by a stack-based buffer 
overflow by an authenticated user. This affects R6400v2 before 
; 1.0.4.118, R6700v3 before 1.0.4.118, R6900P before 1.3.3.140, not yet |CVE-2021-45607 
a a firmware R7000 before 1.0.11.126, R7000P before 1.3.3.140, RAX200 2021-12-26 | calcuiated |MISC 
before 1.0.5.126, RAX75 before 1.0.5.126, and RAX80 before 
1.0.5.126. 
Certain NETGEAR devices are affected by incorrect configuration 
netgear -- r6400v2_firmware of security settings. This affects R6400v2 before 1.0.4.118, atiza || ee v1 aii 
R6700v3 before 1.0.4.118, and XR1000 before 1.0.0.58. Faces 
Certain NETGEAR devices are affected by disclosure of sensitive 
> information. This affects R6400v2 before 1.0.4.84, R6700v3 not yet ||CVE-2021-45649 
netgear = 164002 firmware before 1.0.4.84, R7000 before 1.0.11.126, R6900P before 2021-12-26 | calculated |MISC 
1.3.2.126, and R7000P before 1.3.2.126. 
; NETGEAR R6700v2 devices before 1.2.0.88 are affected by not yet ||CVE-2021-45498 
netgear -- r6700v2_firmware authentication bypass. 2021-12-26 || calculated |MISC 
: Certain NETGEAR devices are affected by privilege escalation. 
netgear -> r6900p firmware This affects R6900P before 1.3.3.140, R7000 before 1.0.11.126, | 2021-12-26 || pot yet [=vE=2021-45679 
R7000P before 1.3.3.140, and RS400 before 1.5.1.80. Wea 
Certain NETGEAR devices are affected by authentication bypass. 
netgear -- r6900p_firmware This affects R6900P before 1.3.3.140, R7000P before 1.3.3.140, 2021-12-26 not yet ||CVE-2021-45499 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000P before calculated ||MISC 
1.4.2.84, RAX75 before 1.0.3.106, and RAX80 before 1.0.3.106. 
Certain NETGEAR devices are affected by a buffer overflow by an 
authenticated user. This affects R7000 before 1.0.11.126, R7960P 
before 1.4.2.84, R8000 before 1.0.4.74, RAX200 before 1.0.4.120, not vet |ICVE-2021-45530 
netgear -- r7000_firmware R8000P before 1.4.2.84, RAX20 before 1.0.2.82, RAX45 before 2021-12-26 Pe em Msc 
1.0.2.82, RAX80 before 1.0.4.120, R7900P before 1.4.2.84, -= 
RAX15 before 1.0.2.82, RAX50 before 1.0.2.82, and RAX75 
before 1.0.4.120. 
r NETGEAR R7000 devices before 1.0.11.116 are affected by not yet ||CVE-2021-45646 
netgear -- r7000_firmware disclosure of sensitive information. 2021-12-26 || calculated MISC 
netgear -- r7000_firmware NETGEAR R7000 devices before 1.0.9.88 are affected by stored 2021-12-26 not yet ||CVE-2021-45662 
XSS. calculated |MISC 
. NETGEAR R7000 devices before 1.0.9.42 are affected by a buffer not yet |CVE-2021-45523 
netgear = r7000_firmware overflow by an authenticated user. 2021-12-26 || calculated [MISC 
. NETGEAR R7000 devices before 1.0.11.126 are affected by not yet ||CVE-2021-45664 
netgear -- r7000_firmware stored XSS. 2021-12-26 calculated MISC 
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netgear -- r7000_firmware 


NETGEAR R7000 devices before 1.0.11.126 are affected by 
stored XSS. 


2021-12-26 


not yet 
calculated 





CVE-2021-45663 
MISC 








netgear -- r7000_firmware 


Certain NETGEAR devices are affected by stored XSS. This 
affects R7000 before 1.0.11.110, R7900 before 1.0.4.30, R8000 
before 1.0.4.62, RAX15 before 1.0.2.82, RAX20 before 1.0.2.82, 
RAX200 before 1.0.3.106, RAX75 before 1.0.3.106, and RAX80 
before 1.0.3.106. 


2021-12-26 


not yet 
calculated 


CVE-2021-45674 
MISC 








netgear -- r7000_ firmware 


Certain NETGEAR devices are affected by stored XSS. This 
affects R7000 before 1.0.11.110, R7900 before 1.0.4.30, R8000 
before 1.0.4.62, RAX200 before 1.0.3.106, R7000P before 
1.3.3.140, RAX80 before 1.0.3.106, R6900P before 1.3.3.140, and 
RAX75 before 1.0.3.106. 


2021-12-26 


not yet 
calculated 


CVE-2021-45673 
MISC 








netgear -- r7000_firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7000 before 1.0.11.126, 
R7900 before 1.0.4.46, R7900P before 1.4.2.84, R7960P before 
1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, 
RAX200 before 1.0.3.106, MR60 before 1.0.6.110, RAX45 before 
1.0.2.66, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, RAX50 
before 1.0.2.66, and RAX75 before 1.0.3.106. 


2021-12-26 


not yet 
calculated 


CVE-2021-45540 
MISC 








netgear -- r7000_firmware 


Certain NETGEAR devices are affected by disclosure of sensitive 
information. This affects R7000 before 1.0.11.110, R7900 before 
1.0.4.30, R8000 before 1.0.4.62, RS400 before 1.5.1.80, R6400v2 
before 1.0.4.102, R7000P before 1.3.2.126, R6700v3 before 
1.0.4.102, and R6900P before 1.3.2.126. 


2021-12-26 


not yet 
calculated 


CVE-2021-45650 
MISC 








netgear -- r7000p_ firmware 


Certain NETGEAR devices are affected by authentication bypass. 
This affects R7000P before 1.3.3.140 and R8000 before 1.0.4.68. 


2021-12-26 


not yet 
calculated 





CVE-2021-45500 
MISC 








netgear -- r7800_firmware 


Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects R7800 before 1.0.2.74, 
R9000 before 1.0.5.2, and XR500 before 2.3.2.66. 


2021-12-26 


not yet 
calculated 





CVE-2021-45623 
MISC 








netgear -- r7850_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7850 before 1.0.5.74, 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 
1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, 
RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before 
3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45544 
MISC 








netgear -- r7850_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7850 before 1.0.5.74, 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 
1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, 
RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 
3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, 
RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, and RBS850 
before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45546 
MISC 








netgear -- r7850_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7850 before 1.0.5.74, 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 
1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, 
RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before 
3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 
3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45545 
MISC 








netgear -- r7850_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7850 before 1.0.5.74, 
R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 
1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, 
RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 
3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, 
RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, and RBS850 
before 3.2.17.12. 


2021-12-26 


not yet 
calculated 


CVE-2021-45547 
MISC 








netgear -- r7900_ firmware 








Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7900 before 1.0.4.38, 
R7900P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 
1.4.2.84, RAX200 before 1.0.3.106, MR60 before 1.0.6.110, 
RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, MS60 before 
1.0.6.110, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, 
RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 
before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 





3.2.16.6, and RBK852 before 3.2.16.6. 








2021-12-26 





not yet 
calculated 





CVE-2021-45541 
MISC 
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potentially sensitive information (such as usernames and 





passwords) to be transmitted in cleartext. 














Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R7900P before 1.4.2.84, 
R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before not vet |ICVE-2021-45539 
netgear -- r7900p_ firmware 1.4.2.84, MR60 before 1.0.6.110, RAX20 before 1.0.2.82, RAX45 || 2021-12-26 Paint inde MISC. 
before 1.0.2.28, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, Pe 
RAX15 before 1.0.2.82, RAX50 before 1.0.2.28, and RAX75 
before 1.0.3.106. 
Certain NETGEAR devices are affected by command injection by 
netgear -- r7900p_firmware an authenticated user. This affects R7900P before 1.4.2.84, 2024-42-26: || TO vet v1 ee 
R7960P before 1.4.2.84, and R8000P before 1.4.2.84. 4 = 
netgear -- r8000_firmware NETGEAR R8000 devices before 1.0.4.62 are affected by a buffer 2021-12-26 not yet ||CVE-2021-45524 
overflow by an authenticated user. calculated ||MISC 
; NETGEAR R8000 devices before 1.0.4.76 are affected by not yet ||CVE-2021-45532 
netgear -- r8000_firmware command injection by an authenticated user. 2021-12-26 || calculated [MISC 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects R8000 before 1.0.4.74, 
netgear -- r8000_firmware RAX200 before 1.0.4.120, R8000P before 1.4.2.84, R7900P 2021-12-26 || notyet -T 
before 1.4.2.84, RBR850 before 3.2.17.12, RBS850 before Eo 
3.2.17.12, and RBK852 before 3.2.17.12. 
netgear -- rax200_firmware NETGEAR RAX200 devices before 1.0.5.132 are affected by 2021-12-26 not yet ||CVE-2021-45678 
insecure code. calculated |MISC 
Certain NETGEAR devices are affected by stored XSS. This 
: affects RAX200 before 1.0.5.126, RAX20 before 1.0.2.82, RAX80 not yet ||CVE-2021-45676 
netgeaf = rax200_Mnware before 1.0.5.126, RAX15 before 1.0.2.82, and RAX75 before 2021-12-26 || calculated [MISC 
1.0.5.126. 
Certain NETGEAR devices are affected by stored XSS. This 
affects RAX200 before 1.0.3.106, MR60 before 1.0.6.110, RAX20 
before 1.0.2.82, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, 
: MS60 before 1.0.6.110, RAX15 before 1.0.2.82, RAX50 before not yet ||CVE-2021-45669 
Netgear faxed firmware 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, 2021-12-26 | calculated |MISC 
RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 
before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user . This affects RAX200 before 1.0.3.106, 
- RAX75 before 1.0.3.106, RAX80 before 1.0.3.106, RBK752 before not yet |CVE-2021-45537 
netgear rax200 firmware 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, 2021-12-26 || calculated |MISC 
RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 
before 3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RAX200 before 1.0.4.120, not yet |CVE-2021-45542 
netgear -- rax200_firmware RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before|| 2021-12-26 saae Msc 
3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before E 
3.2.17.12. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RAX200 before 1.0.3.106, 
: RAX80 before 1.0.3.106, RAX75 before 1.0.3.106, RBK752 before not yet |CVE-2021-45535 
Helgeat = rax200_Mirmware 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, 2021-12-26 || calculated [MISC 
RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 
before 3.2.16.6. 
Certain NETGEAR devices are affected by disclosure of 
netgear -- rax35_ firmware administrative credentials. This affects RAX35 before 1.0.4.102, 2021-12-26 Besse hier -i 
RAX38 before 1.0.4.102, and RAX40 before 1.0.4.102. = 
Netgear RAX43 version 1.0.3.96 contains a command injection 
netgear -- rax43_firmware vulnerability. The readycloud cgi application is vulnerable to 2021-12-30 not yet . bie aeee tener 
"Aaa aaa calculated ||MISC 
command injection in the name parameter. 
Netgear RAX43 version 1.0.3.96 does not have sufficient 
protections to the UART interface. A malicious actor with physical 
; access to the device is able to connect to the UART port via a not yet ||CVE-2021-20168 
netgear -- rax43_firmware serial connection, login with default credentials, and execute 2021-12-30 calculated ||MISC 
commands as the root user. These default credentials are 
admin:admin. 
Netgear RAX43 version 1.0.3.96 does not utilize secure 
communications to the web interface. By default, all 
netgear -- rax43_ firmware communication to/from the device is sent via HTTP, which causes || 2021-12-30 Pat ee oo 











https://content.govdelivery.com/accounts/USDHSCISA/bulletins/303e70e 


23/37 








1/4/22, 3:10 PM 


Vulnerability Summary for the Week of December 27, 2021 























































































































2.7.3.22, and RBSSO before 2.7.3.22. 

















Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Netgear RAX43 version 1.0.3.96 makes use of hardcoded 
credentials. It does not appear that normal users are intended to 
be able to manipulate configuration backups due to the fact that 
they are encrypted. This encryption is accomplished via a 
netgear -- rax43_firmware password-protected zip file with a hardcoded password 2021-12-30 a ia d = 
(RAX50w!a4udk). By unzipping the configuration using this (perma 
password, a user can reconfigure settings not intended to be 
manipulated, re-zip the configuration, and restore a backup 
causing these settings to be changed. 
Netgear RAX43 version 1.0.3.96 stores sensitive information in 
plaintext. All usernames and passwords for the device's 
netgear -- rax43_ firmware associated services are stored in plaintext on the device. For 2021-12-30 Pat a d an 
example, the admin password is stored in plaintext in the primary beams 
configuration file on the device. 
Netgear RAX43 version 1.0.3.96 contains a buffer overrun 
s vulnerability. The URL parsing functionality in the cgi-bin endpoint not yet ||CVE-2021-20166 
netgear = rax43_firmware of the router containers a buffer overrun issue that can redirection | 2021-12-30 || calculated MISC 
control flow of the applicaiton. 
Certain NETGEAR devices are affected by command injection by 
: an authenticated user. This affects RAX75 before 1.0.3.106, 
netgear tenis Mimware RAX80 before 1.0.3.106, RBK752 before 3.2.16.6, RBR750 mamaa | Je lage =S 
before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before ate 
3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
: an authenticated user. This affects RAX75 before 1.0.3.106, 
netgear texte Mimware RAX80 before 1.0.3.106, RBK752 before 3.2.16.6, RBR750 2021206 | ease S 
before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before E 
3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an unauthenticated attacker. This affects RBK20 before 2.6.1.36, 
; RBR20 before 2.6.1.36, RBS20 before 2.6.1.38, RBK40 before not yet ||CVE-2021-45626 
netgear roko tirmware 2.6.1.36, RBR40 before 2.6.1.36, RBS40 before 2.6.1.38, RBK50 | 2021-12-26 || calcuiatea [MISC 
before 2.6.1.40, RBR50 before 2.6.1.40, RBS50 before 2.6.1.40, 
and RBS50Y before 2.6.1.40. 
Certain NETGEAR devices are affected by a hardcoded 
netgear -- rbk352_firmware password. This affects RBK352 before 4.4.0.10, RBR350 before || 2021-12-26 | TOtyet a een 
4.4.0.10, and RBS350 before 4.4.0.10. EE 
Certain NETGEAR devices are affected by disclosure of sensitive 
netgear -- rbk352_firmware information. This affects RBK352 before 4.4.0.10, RBR350 before | 2021-12-26 | TOtyet 1 een 
4.4.0.10, and RBS350 before 4.4.0.10. S 
Certain NETGEAR devices are affected by disclosure of sensitive 
netgear -- rbk352_firmware information. This affects RBK352 before 4.4.0.10, RBR350 before | 2021-12-26 | TOtyet ae = 
4.4.0.10, and RBS350 before 4.4.0.10. iene 
Certain NETGEAR devices are affected by an attacker's ability to 
netgear -- rbk352_firmware read arbitrary files. This affects RBK352 before 4.4.0.0, RBR350 | 2021-12-26 | TOtyet oo 
before 4.4.0.10, and RBS350 before 4.4.0.10. E 
Certain NETGEAR devices are affected by a hardcoded 
netgear -- rbk352_firmware password. This affects RBK352 before 4.4.0.10, RBR350 before || 2021-12-26 | TOtyet ae es 
4.4.0.10, and RBS350 before 4.4.0.10. Da 
Certain NETGEAR devices are affected by server-side injection. 
This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, 
; RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before not yet ||CVE-2021-45660 
netgeat = roko iimwarg 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 | 2021-12-26 || calculated [MISC 
before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 
2.6.1.40. 
Certain NETGEAR devices are affected by server-side injection. 
This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, 
; RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before not yet ||CVE-2021-45659 
netgear =rbk40_ Nimware 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 | 2021-12-26 || calcuiatea [MISC 
before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 
2.6.1.40. 
Certain NETGEAR devices are affected by server-side injection. 
This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, 
; RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before not yet ||CVE-2021-45661 
netgear: roko firmware 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 | 2021-12-26 || calculated MISC 
before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 
2.6.1.40. 
Certain NETGEAR devices are affected by disclosure of sensitive 
netgear -- rbk50_firmware information. This affects RBK50 before 2.7.3.22, RBR50 before || 2021-12-26 | "Ol vet oo 
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before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 


Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not yet |CVE-2021-45569 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 alcalateð Msc 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before ————— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not yet |ICVE-2021-45588 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 eaiicd Msc 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before -= 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not yet ICVE-2021-45574 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 aiaei Msc 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before = 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not vet |ICVE-2021-45570 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 iciae Msc 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before -n 
3:2.16.6. 
Certain NETGEAR devices are affected by command injection by 
netgear -- rbk752_firmware an authenticated user. This affects R7000 before 1.0.11.126, 2021-42-26 A aae = 
R6900P before 1.3.2.126, and R7000P before 1.3.2.126. i errs 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot yet oe 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before == 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-1226 || "ot vet e 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before = 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_ firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot yet ee 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before —— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || Totyet a 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before meS 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot vet acai 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before ——— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_ firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-1226 || "ot vet ae 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before eee 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot yet ir apa 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before —— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || otyet ama 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before leans 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot yet i ai 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before ——— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear -- rbk752_ firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 || "ot vet ami 








3.2.16.6. 
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Description 
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Source & Patch 
Info 








netgear -- rok752_firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45585 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45583 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45582 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45575 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45581 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45580 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45586 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45579 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45578 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45577 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45566 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45560 
MISC 








netgear -- rbk752_ firmware 


Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 


2021-12-26 


not yet 
calculated 


CVE-2021-45565 
MISC 











netgear -- rbk752_ firmware 








Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, 
RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 
3.2.16.6. 








2021-12-26 





not yet 
calculated 





CVE-2021-45564 
MISC 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Certain NETGEAR devices are affected by command injection by 
; an authenticated user. This affects RBK752 before 3.2.16.6, 
nergear e rbkrga Mirmwarg RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 pie | TO e 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before ————— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not yet |ICVE-2021-45572 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 eariicd Misc OCS 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before ———— 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBK752 before 3.2.16.6, not yet |ICVE-2021-45592 
netgear -- rbk752_firmware RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 2021-12-26 aiaei Misc C 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before = 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
: an authenticated user. This affects RBK752 before 3.2.16.6, 
netgear rbk 32 Mmwarg RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 apnoea 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before GERR 
3:2.16.6. 
Certain NETGEAR devices are affected by command injection by 
; an authenticated user. This affects RBK752 before 3.2.16.6, 
nergear rbkrga Mrmwarg RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 piiss | lee e 
before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before a 
3.2.16.6. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBR20 before 2.7.3.22, 
netgear -- rbr20_ firmware RBR40 before 2.7.3.22, RBR50 before 2.7.2.102, RBS20 before 2021-12-26 not yet |CVE-2021-45593 
2.7.3.22, RBS40 before 2.7.3.22, RBR50 before 2.7.2.102, RBK20 calculated ||IMISC 
before 2.7.3.22, RBK40 before 2.7.3.22, and RBK50 before 
2.7.2.102. 
Certain NETGEAR devices are affected by command injection by 
an authenticated user. This affects RBS50Y before 2.7.3.22, 
. RBR20 before 2.7.3.22, RBR40 before 2.7.3.22, RBR50 before not yet ||CVE-2021-45594 
a 2.7.3.22, RBS20 before 2.7.3.22, RBS40 before 2.7.3.22, RBS50 | 2021-12-26 || calcuiated [MISC 
before 2.7.3.22, RBK20 before 2.7.3.22, RBK40 before 2.7.3.22, 
and RBK50 before 2.7.3.22. 
Certain NETGEAR devices are affected by incorrect configuration 
: of security settings. This affects RBS50Y before 2.7.0.122, SRK60 
a before 2.7.0.122, SRR60 before 2.7.0.122, SRS60 before a9 4226. |) e e a 
2.7.0.122, SXK30 before 3.2.33.108, SXR30 before 3.2.33.108, bps 
SXS30 before 3.2.33.108, and SRC60 before 2.7.0.122. 
netgear -- xr1000_firmware NETGEAR XR1000 devices before 1.0.0.58 are affected by denial 2021-12-26 not yet |CVE-2021-45519 
of service. calculated |MISC 
; NETGEAR XR1000 devices before 1.0.0.58 are affected by not yet ||CVE-2021-45513 
netgear -- xr1000_firmware command injection by an unauthenticated attacker. 2021-12-26 || calculated [MISC 
netgear -- xr1000_firmware NETGEAR XR1000 devices before 1.0.0.58 are affected by 2021-12-26 not yet ||CVE-2021-45654 
disclosure of sensitive information. calculated |MISC 
: NETGEAR XR1000 devices before 1.0.0.58 are affected by denial not yet CVE-2021-45518 
netgear -- xr1000_ firmware nt Service. 2021-12-26 calculated MISC 
netgear -- xr1000_firmware NETGEAR XR1000 devices before 1.0.0.58 are affected by 2021-12-26 not yet |CVE-2021-45510 
authentication bypass. calculated ||MISC 
: NETGEAR XR1000 devices before 1.0.0.58 are affected by denial not yet |CVE-2021-45517 
netgear -- xr1000_ firmware əf service. 2021-12-26 calculated MISC 
' NETGEAR XR1000 devices before 1.0.0.58 are affected by not yet |CVE-2021-45514 
netgear == SUES ale command injection by an unauthenticated attacker. 2021-12-26 || calculated ||MISC 
netgear -- xr1000_ firmware NETGEAR XR1000 devices before 1.0.0.58 are affected by a 2021-12-26 not yet CVE-2021-45522 
&#xA0; hardcoded password. calculated ||MISC 
Certain NETGEAR devices are affected by command injection by 
netgear -- xr300_ firmware an unauthenticated attacker. This affects XR300 before 1.0.3.68, 2021-12-26 ae oe 
R7000P before 1.3.3.140, and R6900P before 1.3.3.140. DE 
netgen -- tags_bundle Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 not yet a 
: ne 2021-12-27 MISC 
allows XSS in the Tags Admin interface. calculated MISC 
Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An nakvat CVE-2021-45814 
nettmp -- nettmp attacker can bypass authentication and access the panel with an 2021-12-28 Pasa ae MISC 
administrative account. MISC 
Nokia FastMile 3TG00118ABAD52 devices allow privilege nok vet CVE-2021-45896 
nokia -- fastmile escalation by an authenticated user via is_ctc_admin=1 to 2021-12-27 aera MISC 
login_web_app.cgi and use of Import Config File. MISC 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description published | Score Info 
NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a 
; Cross Site Scripting (XSS) vulnerability. An attacker can steal the not yet CVE-2021-45812 
nuuo — network_video_recorder user's session by injecting malicious JavaScript codes which leads 2021-12-28 || calculated [MISC 
to session hijacking. 
; : Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a CVE-2021-45948 
open_asset — import library heap-based buffer overflow in _m3d_safestr (called from 2022-01-01 || nor yst misc 
m3d_load and Assimp::M3DWrapper::M3DWrapper). MISC 
OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in CVE-2021-45942 
openexr -- openexr Imf_3_1::LineCompositeTask::execute (called from 2022-01-01 not yet MISC 
IIlmThread_3_1::NullThreadPoolProvider::addTask and calculated ||MISC 
IIlmThread_3_1::ThreadPool::addGlobalTask). MISC 
openwrt -- openwrt OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. 2021-12-27 Hot yor |iAE 202145305 
calculated ||MISC 
OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name not yet |CVE-2021-45904 
openwri= Openwii screen. 2021-12-27 || calculated [MISC 
openwrt -- openwrt OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. || 2021-12-27 || _Motyet [CVE-2021-45906 
calculated ||MISC 
ColorOS pregrant dangerous permissions to apps which are listed 
7 in a whitelist xml named default-grant-permissions.But some apps 49. not yet |CVE-2021-23244 
PRPS oppo in whitelist is not installed, attacker can disguise app with the PORNEA, calculated ||MISC 
same package name to obtain dangerous permission. 
parse-link-header -- parse-link- The package parse-link-header before 2.0.0 are vulnerable to not vat ea ~ 
header Regular Expression Denial of Service (ReDoS) via the 2021-12-24 calculated CONFIRM 
checkHeader function. CONFIRM 
philips Patient Information Center iX (PIC iX) Versions C.02 and C.03 
aaa : : receives input or data, but does not validate or incorrectly ETE not yet ||CVE-2021-43548 
patient infomation center ix validates that the input has the properties required to process the ee eet calculated |MISC 
data safely and correctly. 
The use of a broken or risky cryptographic algorithm is an 
philips -- unnecessary risk that may result in the exposure of sensitive 
patient_information_center_ix information, which affects the communications between Patient 2021-12-27 a a d oo 
Information Center iX (PIC iX) Versions C.02 and C.03 and Efficia e 
CM Series Revisions A.01 to C.0x and 4.0. 
philips -- The use of a hard-coded cryptographic key significantly increases 7 ? 
patient_information_center_ix the possibility encrypted data may be recovered from the Patient 2021-12-27 a pa d ae m= 
Information Center iX (PIC iX) Versions B.02, C.02, and C.03. ro 
PJSIP is a free and open source multimedia communication 
library. In version 2.11.1 and prior, if incoming RTCP XR message 
isip -- pisi contain block, the data field is not checked against the received ok vet e 
Bebe packet size, potentially resulting in an out-of-bound read access. 2021-12-27 eae CONFIRM 
This affects all users that use PJMEDIA and RTCP XR. A Msc 
malicious actor can send a RTCP XR message with an invalid ——— 
packet size. 
A remote code execution issue in the ping command on Poly Trio not vet CVE-2018-17875 
poly -- poly_trio_8800 8800 5.7.1.4145 devices allows remote authenticated users to 2021-12-28 Beilin MISC 
execute commands via unspecified vectors. MISC 
‘ — A Cross-Site Request Forgery (CSRF) in /admin/index.php? CVE-2020-20945 
dibosont -qibosomt Ifj=member&action=editmember of Qibosoft v7 allows attackers to |} 2021-12-27 i ae MISC 
arbitrarily add administrator accounts. MISC 
A Cross-Site Request Forgery (CSRF) in /member/post.php? 
qibosoft -- qibosoft job=postnew&step=post of Qibosoft v7 allows attackers to force 2021-12-27 not yet ||CVE-2020-20943 
victim users into arbitrarily publishing new articles via a crafted calculated |MISC 
URL. 
‘ A Qibosoft v7 contains a stored cross-site scripting (XSS) CVE-2020-20946 
Gibosoft — qibosoft vulnerability in the component /admin/index.php? 2021-12-27 || nor vet misc 
Ifj=friendlink&action=add. MISC 
qibosoft -- qibosoft An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 not yet CVE-2020-20944 
es 4 2021-12-27 MISC 
allows attackers to arbitrarily delete files. calculated MISC 
CVE-2021-45930 
Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an _ 
out-of-bounds write in notyet [haan 
at_sva- qt_svg QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppene ao calculated rae 
(called from QPainterPath::addPath and QPathClipper::intersect). MISC 
MISC 
Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross not yet ||CVE-2021-45815 
quectel — uc20 Site Scripting (XSS) vulnerability. 2021-12-30 || calculated [MISC 
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In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are 
affected by Stored XSS vulnerability, where a low privileged 
(editor) user can upload a SVG file that contains malicious 
JavaScript while uploading assets in the page. That will send the 
JWT tokens to the attacker’s server and will lead to account 
takeover when accessed by the victim. 


Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is 
vulnerable to stored cross-site scripting through non-image file 
uploads for file types that can be viewed directly inline in the 
browser. By creating a malicious file which can execute inline JS 
when viewed in the browser (e.g. XML files), a malicious Wiki.js 
user may stage a stored cross-site scripting attack. This allows the 
attacker to execute malicious JavaScript when the file is viewed 
directly by other users. The file must be opened directly by the 
user and will not trigger directly in a normal Wiki.js page. A patch 
in version 2.5.264 fixes this vulnerability by adding an optional 
(enabled by default) force download flag to all non-image file 
types, preventing the file from being viewed inline in the browser. 
As a workaround, disable file upload for all non-trusted users. --- 
Thanks to @Haxatron for reporting this vulnerability. Initially 
reported via https://huntr.dev/bounties/266bff09-00d9-43ca-a4bb- 
bb540642811f/ 


Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is 
vulnerable to stored cross-site scripting through a SVG file upload 
made via a custom request with a fake MIME type. By creating a 
crafted SVG file, a malicious Wiki.js user may stage a stored 
cross-site scripting attack. This allows the attacker to execute 
malicious JavaScript when the SVG is viewed directly by other 
users. Scripts do not execute when loaded inside a page via 
normal `<img>` tags. The malicious SVG can only be uploaded by 
crafting a custom request to the server with a fake MIME type. A 
patch in version 2.5.264 fixes this vulnerability by adding an 
additional file extension verification check to the optional (enabled 
by default) SVG sanitization step to all file uploads that match the 
SVG mime type. As a workaround, disable file upload for all non- 
trusted users. 


CVE-2021-25993 
MISC 
MISC 


not yet 


202112529 calculated 


requarks -- wiki.js 








CVE-2021-43856 
not yet CONFIRM 

calculated ||MISC 

MISC 


requarks -- wiki.js 2021-12-27 








CVE-2021-43855 
not yet |MISC 

calculated ||CONFIRM 

MISC 


requarks -- wiki.js 2021-12-27 




























































































ae tis CGI::Cookie.parse in Ruby through 2.6.8 mishandles security not vet CVE-2021-41819 
y y prefixes in cookie names. This also affects the CGI gem through 2022-01-01 sicud MISC 
0.3.0 for Ruby. CONFIRM 
kaby rub Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS notvet CVE-2021-41817 
y y (regular expression Denial of Service) via a long string. The fixed 2022-01-01 run MISC 
versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CONFIRM 
starii An issue was discovered in the binjs_io crate through 2021-01-03 nok Vat CVE-2021-45683 
for Rust. The Read method may read from uninitialized memory 2021-12-27 y MISC 
: calculated 
locations. MISC 
An issue was discovered in the csv-sniffer crate through 2021-01- not vet CVE-2021-45686 
rust -- rust 05 for Rust. preamble_skipcount may read from uninitialized 2021-12-27 y MISC 
: calculated 
memory locations. MISC 
rush=nust An issue was discovered in the columnar crate through 2021-01- not yet CVE-2021-45685 
07 for Rust. ColumnarReadExt::read_typed_vec may read from 2021-12-27 y MISC 
_typed_) y 
RUE 3 calculated 
uninitialized memory locations. MISC 
rust =rust An issue was discovered in the flumedb crate through 2021-01-07 notvet CVE-2021-45684 
for Rust. read_entry may read from uninitialized memory 2021-12-27 y MISC 
: calculated 
locations. MISC 
An issue was discovered in the vec-const crate before 2.0.0 for fiat vat CVE-2021-45680 
rust -- rust Rust. It tries to construct a Vec from a pointer to a const slice, 2021-12-27 y MISC 
; : calculated 
leading to memory corruption. MISC 
An issue was discovered in the nanorand crate before 0.6.1 for 
rust -- rust Rust. There can be multiple mutable references to the same 2024-12-27 not yet oo 
object because the TlsWyRand Deref implementation calculated MISC 
dereferences a raw pointer. A 
ist inet An issue was discovered in the bronzedb-protocol crate through nat vet CVE-2021-45682 
2021-01-03 for Rust. ReadKVExt may read from uninitialized 2021-12-27 aid MISC 
memory locations. MISC 
An issue was discovered in the metrics-util crate before 0.7.0 for 
rust -- rust Rust. There is a data race and memory corruption because 2021-12-27 not yet i i 
AtomicBucket<T> unconditionally implements the Send and Sync calculated MISC 
traits. (ies 
An issue was discovered in the ckb crate before 0.40.0 for Rust. 
rust -- rust Remote attackers may be able to conduct a 51% attack against 2021-12-27 not yet oo 
the Nervos CKB blockchain by triggering an inability to allocate calculated MISC 





























memory for the misbehavior HashMap. 
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Primary ae j CVSS Source & Patch 
Vendor -- Product Description Published | Score Info 
riske-pist An issue was discovered in the derive-com-impl crate before 0.1.2 ok vet CVE-2021-45681 
for Rust. An invalid reference (and memory corruption) can occur || 2021-12-27 aculei MISC 
because AddRef might not be called before returning a pointer. MISC 
An issue was discovered in the raw-cpuid crate before 9.1.1 for 
rst inist Rust. If the serialize feature is used (which is not the the default), 2021-12-27 not yet —— 
a Deserialize operation may lack sufficient validation, leading to calculated MISC 
memory corruption or a panic. Poe a 
An issue was discovered in the messagepack-rs crate through Kok vet CVE-2021-45691 
rust -- rust 2021-01-26 for Rust. deserialize_string may read from 2021-12-27 eed MISC 
uninitialized memory locations. MISC 
An issue was discovered in the gfx-auxil crate through 2021-01-07 notvét CVE-2021-45689 
rust -- rust for Rust. gfx_auxil::read_spirv may read from uninitialized memory|| 2021-12-27 ea MISC 
locations. MISC 
rist rust An issue was discovered in the ckb crate before 0.40.0 for Rust. Rak vat CVE-2021-45700 
Attackers can cause a denial of service (Nervos CKB blockchain 2021-12-27 seieacicd MISC 
node crash) via a dead call that is used as a DepGroup. MISC 
hista ruist An issue was discovered in the abomonation crate through 2021- not vet CVE-2021-45708 
10-17 for Rust. Because transmute operations are insufficiently 2021-12-27 Pe ae MISC 
constrained, there can be an information leak or ASLR bypass. MISC 
An issue was discovered in the messagepack-rs crate through nak vet CVE-2021-45690 
rust -- rust 2021-01-26 for Rust. deserialize_binary may read from 2021-12-27 ead MISC 
uninitialized memory locations. MISC 
rlist—=itust An issue was discovered in the messagepack-rs crate through nötiyet CVE-2021-45692 
2021-01-26 for Rust. deserialize_extension_others may read from || 2021-12-27 Gracia MISC 
uninitialized memory locations. MISC 
iste mist An issue was discovered in the messagepack-rs crate through ot vet CVE-2021-45693 
2021-01-26 for Rust. deserialize_string_primitive may read from 2021-12-27 eatcuited MISC 
uninitialized memory locations. MISC 
An issue was discovered in the rdiff crate through 2021-02-03 for not yet a 
rust -- rust ; men : 2021-12-27 MISC 
Rust. Window may read from uninitialized memory locations. calculated MISC 
An issue was discovered in the mopa crate through 2021-06-01 
for Rust. It incorrectly relies on Trait memory layout, possibly not yet eA 2) 
rust -- rust : : : 2021-12-27 MISC 
leading to future occurrences of arbitrary code execution or ASLR calculated MISC 
bypass. -n 
iiet = rust An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for ñotyet CVE-2021-45696 
Rust. Hashes of long messages may be incorrect when the AVX2-|| 2021-12-27 Paina ieee MISC 
accelerated backend is used. MISC 
rust -- rust An issue was discovered in the molecule crate before 0.7.2 for not yet CVE-2021-45607 
; ; ; 2021-12-27 MISC 
Rust. A FixVec partial read has an incorrect result. calculated MISC 
An issue was discovered in the ckb crate before 0.40.0 for Rust. A 
rust -- rust get_block_template RPC call may fail in situations where it is 2021-12-27 not yet aae = 
supposed to select a Nervos CKB blockchain transaction with a calculated MISC 
higher fee rate than another transaction. ———— 
rust -- rust An issue was discovered in the ash crate before 0.33.1 for Rust. not yet ee 
a ane : 2021-12-27 MISC 
util::read_spv may read from uninitialized memory locations. calculated MISC 
risk nist An issue was discovered in the acc_reader crate through 2020- nat Vet CVE-2020-36513 
12-27 for Rust. read_up_to may read from uninitialized memory 2021-12-27 calculated MISC 
locations. MISC 
rust -- rust An issue was discovered in the zeroize_derive crate before 1.1.1 not yet ee 
: = 2021-12-27 MISC 
for Rust. Dropped memory is not zeroed out for an enum. calculated MISC 
statist An issue was discovered in the simple_asn1 crate 0.6.0 before iat Vet CVE-2021-45711 
0.6.1 for Rust. There is a panic if UTCTime data, supplied by a 2021-12-27 iced MISC 
remote attacker, has a second character greater than 0x7f. MISC 
An issue was discovered in the pnet crate before 0.27.2 for Rust. 
There is a segmentation fault (upon attempted dereference of an not yet PvE 20 leeaios 
rust -- rust en ; 2021-12-27 MISC 
uninitialized descriptor) because of an erroneous calculated MISC 
IcmpTransportChannellterator compiler optimization. enemas 
An issue was discovered in the buffoon crate through 2020-12-31 fot -vat CVE-2020-36512 
rust -- rust for Rust. InputStream::read_exact may read from uninitialized 2021-12-27 aicut MISC 
memory locations. MISC 
risk=srust An issue was discovered in the bite crate through 2020-12-31 for fiat vet CVE-2020-36511 
Rust. read::BiteReadExpandedExt::read_framed_max may read 2021-12-27 Peirce MISC 
from uninitialized memory locations. MISC 
ist= rust An issue was discovered in the libpulse-binding crate before 2.6.0 not vet CVE-2019-25055 
for Rust. It mishandles a panic that crosses a Foreign Function 2021-12-27 saisuted MISC 
Interface (FFI) boundary. MISC 
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Primary ae : CVSS Source & Patch 
Vendor -- Product Description Published | Score Info 
hiskepist An issue was discovered in the crypto2 crate through 2021-10-08 ok vet CVE-2021-45709 
for Rust. During Chacha20 encryption and decryption, an 2021-12-27 Pelee MISC 
unaligned read of a u32 may occur. MISC 
rust -- rust An issue was discovered in the libpulse-binding crate before 1.2.1 not yet a 
f 2021-12-27 MISC 
or Rust. get_context can cause a use-after-free. calculated MISC 
rust -- rust An issue was discovered in the libpulse-binding crate before 1.2.1 not yet CVE-2018-25027 
- 2021-12-27 MISC 
for Rust. get_format_info can cause a use-after-free. calculated MISC 
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x 
rust -- rust through 1.13.x before 1.13.1, for Rust. In certain circumstances 2021-12-27 not yet o e 
involving a closed oneshot channel, there is a data race and calculated MISC 
memory corruption. n 
An issue was discovered in the acc_reader crate through 2020- Rak vet CVE-2020-36514 
rust -- rust 12-27 for Rust. fill_buf may read from uninitialized memory 2021-12-27 alcuhteð MISC 
locations. MISC 
An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 not vet CVE-2021-45715 
rust -- rust and 0.26.x before 0.26.2 for Rust. create_window_function has a 2021-12-26 sei u ed MISC 
use-after-free. MISC 
An issue was discovered in the nix crate before 0.20.2, 0.21.x 
rust -- rust before 0.21.2, and 0.22.x before 0.22.2 for Rust. not yet CVE-2021-45707 
ee ; ae os 2021-12-27 MISC 
unistd::getgrouplist has an out-of-bounds write if a user is in more calculated MISC 
than 16 /etc/groups groups. (saad 
rust -- rust An issue was discovered in the tremor-script crate before 0.11.6 not yet CVE 2041-45702 
; - 2021-12-27 MISC 
for Rust. A merge operation may result in a use-after-free. calculated MISC 
An issue was discovered in the tremor-script crate before 0.11.6 not yet a 
rust -- rust : ‘ 2021-12-27 MISC 
for Rust. A patch operation may result in a use-after-free. calculated MISC 
An issue was discovered in the Iru crate before 0.7.1 for Rust. The not vet CVE-2021-45720 
rust -- rust iterators have a use-after-free, as demonstrated by an access 2021-12-26 eine ted MISC 
after a pop operation. MISC 
rist rust An issue was discovered in the tectonic_xdv crate before 0.1.12 notyét CVE-2021-45703 
for Rust. XdvParser::<T>::process may read from uninitialized 2021-12-27 sacate MISC 
memory locations. MISC 
iiet = nist An issue was discovered in the rust-embed crate before 6.3.0 for Fiat vet CVE-2021-45712 
Rust. A ../ directory traversal can sometimes occur in debug 2021-12-26 | y MISC 
moda: calculated MISC 
rust =irust An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 not vet CVE-2021-45713 
and 0.26.x before 0.26.2 for Rust. create_scalar_function has a 2021-12-26 calc aed MISC 
use-after-free. 4 MISC 
iste nist An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 ot vet CVE-2021-45714 
and 0.26.x before 0.26.2 for Rust. create_aggregate_function has || 2021-12-26 calc Tred MISC 
a use-after-free. “4 MISC 
mist = Tust An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 nôtvét CVE-2021-45716 
and 0.26.x before 0.26.2 for Rust. create_collation has a use- 2021-12-26 saitei MISC 
after-free. MISC 
istenét An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 nok vet CVE-2021-45717 
and 0.26.x before 0.26.2 for Rust. commit_hook has a use-after- 2021-12-26 y MISC 
Fao. calculated MISC 
Miste iist An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 notyet CVE-2021-45718 
and 0.26.x before 0.26.2 for Rust. rollback_hook has a use-after- 2021-12-26 y MISC 
free. calculated MISC 
stæ rist An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 not vet CVE-2021-45719 
and 0.26.x before 0.26.2 for Rust. update_hook has a use-after- 2021-12-26 | d MISC 
free. calculate MISC 
safari -- montage Reflected Cross Site Scripting (XSS) in SAFARI Montage versions not yet ee 
A 2021-12-28 MISC 
8.3 and 8.5 allows remote attackers to execute JavaScript codes. calculated MISC 
SAFARI Montage 8.7.32 is affected by a CRLF injection 
safari_montage -- safari_montage vulnerability which can lead to can lead to HTTP response 2021-12-30 Het va wee ee 
splitting. calculated (MISC 
An issue was discovered in the smallvec crate before 0.6.13 for not vet CVE-2018-25023 
servo -- rust-smallvec Rust. It can create an uninitialized value of any type, including a 2021-12-27 caine MISC 
reference type. MISC 
nai vat CVE-2021-4168 
showdoc -- showdoc showdoc is vulnerable to Cross-Site Request Forgery (CSRF) 2021-12-26 y CONFIRM 
calculated MISC 
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only apply to IPv4. All services running on the devices are 





accessible via the WAN interface via IPv6 by default. 

















Primary are P CVSS Source & Patch 
Vendor -- Product Description published Score Info 
SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting 
: ; (XSS) vulnerability. The attacker can steal the user's session by not yet ||CVE-2021-45813 
slican — webcti injecting malicious JavaScript codes which leads to Session 2021-12-28 || calculated [MISC 
Hijacking and cause user's credentials theft. 
A stack buffer overflow vulnerability has been reported to affect 
QNAP NAS running Surveillance Station. If exploited, this 
vulnerability allows attackers to execute arbitrary code. We have 
already fixed this vulnerability in the following versions of 
snapdragon -- qnap_devices Surveillance Station: QTS 5.0.0 (64 bit): Surveillance Station 2021-12-29 not yet ||CVE-2021-38687 
5.2.0.4.2 (2021/10/26 ) and later QTS 5.0.0 (32 bit): Surveillance calculated |CONFIRM 
Station 5.2.0.3.2 (2021/10/26 ) and later QTS 4.3.6 (64 bit): 
Surveillance Station 5.1.5.4.6 (2021/10/26 ) and later QTS 4.3.6 
(32 bit): Surveillance Station 5.1.5.3.6 (2021/10/26 ) and later 
QTS 4.3.3: Surveillance Station 5.1.5.3.6 (2021/10/26 ) and later 
A cross-site scripting (XSS) vulnerability has been reported to 
F affect QNAP device running Kazoo Server. If exploited, this 
snapdragon — qnap_devices vulnerability allows remote attackers to inject malicious code. We 2021-12-29 Piles at roe 
have already fixed this vulnerability in the following versions of E 
Kazoo Server: Kazoo Server 4.11.20 and later 
Hard coded credentials discovered in SolarWinds Web Help Desk 
product. Through these credentials, the attacker with local access CVE-2021-35232 
: to the Web Help Desk host machine allows to execute arbitrary notyet. |< 
solarwinds -- web_help_desk : ; z 2021-12-27 MISC 
HQL queries against the database and leverage the vulnerability calculated MISC 
to steal the password hashes of the users or insert arbitrary data a 
into the database. 
sourcecodester -- https:/www.sourcecodester.com/ Online Enrollment Management at vet CVE-2021-40579 
online_enrollment_management_sys€ystem in PHP and PayPal Free Source Code 1.0 is affected by: 2021-12-28 Seca MISC 
Incorrect Access Control. The impact is: gain privileges (remote). MISC 
; An issue was discovered in Stormshield Network Security (SNS) 
stormshield — , 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update- not yet |EVE-2021-45885 
stormshield_network_security ree : y 2021-12-29 CONFIRM 
migration scenario, the first SSH password change does not calculated MISC 
properly clear the old password. —— 
A persistent cross-site scripting (XSS) issue in the web interface k p 
e of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, atga ea = 
allows a remote attacker to introduce arbitrary JavaScript via 2021-12-28 sacie MISC 
attachments upload, a different vulnerability than CVE-2021- MISC 
39267 and CVE-2021-39268. EEE 
superantispyware -- SUPERAntispyware v8.0.0.1050 was discovered to contain an z z 
superantispyware issue in the component saskutil64.sys. This issue allows attackers || 2021-12-28 e v1 nd 
to arbitrarily write data to the device via IOCTL 0x9C402140. os 
Quagga Services on D-Link DIR-2640 less than or equal to 
: version 1.11B02 use default hard-coded credentials, which can 
tenable — d-link allow a remote attacker to gain administrative access to the zebra || 2021-12-30 li a 
or ripd those services. Both are running with root privileges on the a 
router (i.e., as the "admin" user, UID 0). 
Quagga Services on D-Link DIR-2640 less than or equal to 
version 1.11B02 are affected by an absolute path traversal 
vulnerability that allows a remote, authenticated attacker to set the 
"message of the day" banner to any file on the system, allowing 
them to read all or some of the contents of those files. Such 
tenable -- d-link sensitive information as hashed credentials, hardcoded plaintext 2021-12-30 Pica oo 
passwords for other services, configuration files, and private keys ieee 
can be disclosed in this fashion. Improper handling of filenames 
that identify virtual resources, such as "/dev/urandom" allows an 
attacker to effect a denial of service attack against the command 
line interfaces of the Quagga services (zebra and ripd). 
It is possible for an unauthenticated, malicious user to force the not yet |CVE-2021-20157 
renabler e renne e200 device to reboot due to a hidden administrative command. 2021-12-30 || calculated MISC 
Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper 
authentication to the bittorrent functionality. If enabled, anyone is not yet ||CVE-2021-20152 
tênable:= Meee able to visit and modify settings and files via the Bittorent web 2021-12-30 || calculated MISC 
client by visiting: http://192.168.10.1:9091/transmission/web/ 
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly 
discloses information via redirection from the setup wizard. 
tenable -- trendnet_ac2600 Authentication can be bypassed and a user may view information || 2021-12-30 Daa eo 
as Admin by manually browsing to the setup wizard and forcing it (gemma 
to redirect to the desired page. 
Trendnet AC2600 TEW-827DRU version 2.08B01 does not have 
sufficient access controls for the WAN interface. The default not yet |ICVE-2021-20149 
tenable -- trendnet_ac2600 iptables ruleset for governing access to services on the device 2021-12-30 eiiea Mee ~~ 
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tenable -- trendnet_ac2600 


Quagga Services on D-Link DIR-2640 less than or equal to 
version 1.11B02 are affected by an absolute path traversal 
vulnerability that allows a remote, authenticated attacker to set an 
arbitrary file on the router's filesystem as the log file used by either 
Quagga service (zebra or ripd). Subsequent log messages will be 
appended to the file, prefixed by a timestamp and some logging 
metadata. Remote code execution can be achieved by using this 
vulnerability to append to a shell script on the router's filesystem, 
and then awaiting or triggering the execution of that script. A 
remote, unauthenticated root shell can easily be obtained on the 
device in this fashion. 


2021-12-30 


not yet 
calculated 


CVE-2021-20134 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 does not 
properly implement csrf protections. Most pages lack proper 
usage of CSRF protections or mitigations. Additionally, pages that 
do make use of CSRF tokens are trivially bypassable as the 
server does not appear to validate them properly (i.e. re-using an 
old token or finding the token thru some other method is possible). 


2021-12-30 


not yet 
calculated 


CVE-2021-20165 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 improperly 
discloses credentials for the smb functionality of the device. 
Usernames and passwords for all smb users are revealed in 
plaintext on the smbserver.asp page. 


2021-12-30 


not yet 
calculated 


CVE-2021-20164 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 leaks 
information via the ftp web page. Usernames and passwords for 
all ftp users are revealed in plaintext on the ftpserver.asp page. 


2021-12-30 


not yet 
calculated 


CVE-2021-20163 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 contains an 
improper access control configuration that could allow for a 
malicious firmware update. It is possible to manually install 
firmware that may be malicious in nature as there does not appear 
to be any signature validation done to determine if it is from a 
known and trusted source. This includes firmware updates that 
are done via the automated "check for updates" in the admin 
interface. If an attacker is able to masquerade as the update 
server, the device will not verify that the firmware updates 
downloaded are legitimate. 


2021-12-30 


not yet 
calculated 


CVE-2021-20156 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 makes use of 
hardcoded credentials. It is possible to backup and restore device 
configurations via the management web interface. These devices 
are encrypted using a hardcoded password of "12345678". 


2021-12-30 


not yet 
calculated 


CVE-2021-20155 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 contains a 
command injection vulnerability in the smb functionality of the 
device. The username parameter used when configuring smb 
functionality for the device is vulnerable to command injection as 
root. 


2021-12-30 


not yet 
calculated 


CVE-2021-20160 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 contains a 
symlink vulnerability in the bittorrent functionality. If enabled, the 
bittorrent functionality is vulnerable to a symlink attack that could 
lead to remote code execution on the device. If an end user 
inserts a flash drive with a malicious symlink on it that the 
bittorrent client can write downloads to, then a user is able to 
download arbitrary files to any desired location on the devices 
filesystem, which could lead to remote code execution. Example 
directories vulnerable to this include "config", "downloads", and 
"torrents", though it should be noted that "downloads" is the only 
vector that allows for arbitrary files to be downloaded to arbitrary 
locations. 


2021-12-30 


not yet 
calculated 


CVE-2021-20153 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 contains an 
security flaw in the web interface. HTTPS is not enabled on the 
device by default. This results in cleartext transmission of 
sensitive information such as passwords. 


2021-12-30 


not yet 
calculated 


CVE-2021-20154 
MISC 








tenable -- trendnet_ac2600 


Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw 
in the session management for the device. The router's 
management software manages web sessions based on IP 
address rather than verifying client cookies/session tokens/etc. 
This allows an attacker (whether from a different computer, 
different web browser on the same machine, etc.) to take over an 
existing session. This does require the attacker to be able to spoof 
or take over original IP address of the original user's session. 


2021-12-30 


not yet 
calculated 


CVE-2021-20151 
MISC 








tenable -- trendnet_ac2600 











Trendnet AC2600 TEW-827DRU version 2.08B01 does not have 
sufficient protections for the UART functionality. A malicious actor 
with physical access to the device is able to connect to the UART 
port via a serial connection. No username or password is required 
and the user is given a root shell with full control of the device. 








2021-12-30 





not yet 
calculated 








CVE-2021-20161 
MISC 
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Primary ae : CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an 
tenable -- trendnet_ac2600 authentication bypass vulnerability. It is possible for an 2021-12-30 not yet ||CVE-2021-20158 
unauthenticated, malicous actor to force the change of the admin calculated ||MISC 
password due to a hidden administrative command. 
Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to 
tenable -- trendnet_ac2600 command injection. The system log functionality of the firmware not yet |CVE-2021-20159 
me age : 2021-12-30 
allows for command injection as root by supplying a malformed calculated ||MISC 
parameter. 
Trendnet AC2600 TEW-827DRU version 2.08B01 stores 
tenable -- trendnet_ac2600 credentials in plaintext. Usernames and passwords are stored in 2021-12-30 not yet |CVE-2021-20162 
plaintext in the config files on the device. For example, calculated |MISC 
/etc/config/cameo contains the admin password in plaintext. 
UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based Rok vet CVE-2021-45958 
ultrajson -- ultrajson buffer overflow in Buffer_AppendindentUnchecked (called from 2022-01-01 y MISC 
calculated 
encode). MISC 
An issue was discovered in split_region in uc.c in Unicorn Engine 
before 2.0.0-rc5. It allows local attackers to escape the sandbox. 
An attacker must first obtain the ability to execute crafted code in ae 
uico: engine the target sandbox in order to exploit this vulnerability. The not yet CONFIRM 
9 specific flaw exists within the virtual memory manager. The issue 2021-12-26 sicuti Msc 
results from the faulty comparison of GVA and GPA while calling MISC 
uc_mem_map_ptr to free part of a claimed memory block. An MISC 
attacker can leverage this vulnerability to escape the sandbox and areas: 
execute arbitrary code on the host machine. 
uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write in 
std::__1::pair<unsigned int, void*> CVE-2021-45945 
uwebsockets -- uwebsockets uWS::HttpParser::fenceAndConsumePostPadded<0 (called from 2022-01-01 not yet |MISC 
uWS::HttpParser::consumePostPadded and calculated |MISC 
std::__1::__function::__func<LLVMFuzzerTestOnelnput::$_0, MISC 
std::___1::allocator<LL). 
nok vet CVE-2021-4187 
vim -- vim vim is vulnerable to Use After Free 2021-12-29 acute MISC 
CONFIRM 
not yet |CVE-2021-4166 
vim -- vim vim is vulnerable to Out-of-bounds Read 2021-12-25 y CONFIRM 
calculated MISC 
ak vat CVE-2021-4192 
vim -- vim vim is vulnerable to Use After Free 2021-12-31 y CONFIRM 
calculated MISC 
nal vet CVE-2021-4173 
vim -- vim vim is vulnerable to Use After Free 2021-12-27 y CONFIRM 
calculated MISC 
not vet CVE-2021-4193 
vim -- vim vim is vulnerable to Out-of-bounds Read 2021-12-31 Pie inline MISC 
CONFIRM 
Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release not yet CVE-2021-45947 
wasm3 -- wasm3 : A 2022-01-01 MISC 
(called from EvaluateExpression and InitDataSegments). calculated MISC 
Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called not yet CVE-2021-45929 
wasm3 -- wasm3 : : 2022-01-01 MISC 
from CompileElseBlock and Compile_If). calculated MISC 
wasma = Wasm3 Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called 2022-01-01 not yet iia 
from Compile_LoopOrBlock and CompileBlockStatements). calculated MISC 
In WebKitGTK before 2.32.4, there is a use-after-free in 
webkitgtk -- webkitgtk WebCore::Frame::page, a different vulnerability than CVE-2021- || 2021-12-25 |) notvet | [av E-2021-45483 
30889. calculated |MISC 
In WebKitGTK before 2.32.4, there is a use-after-free in 
webkitgtk -- webkitgtk WebCore::ContainerNode:firstChild, a different vulnerability than | 2021-12-25 || not yet . n 
CVE-2021-30889. E 
In WebKitGTK before 2.32.4, there is incorrect memory allocation 
; n in WebCore::ImageBufferCairolmageSurfaceBackend::create, not yet ||CVE-2021-45481 
webkitgtk -- webkitgtk leading to a segmentation violation and application crash, a 2021-12-25 || calculated [MISC 
different vulnerability than CVE-2021-30889. 
Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and not vet nee 
wireshark -- wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or 2021-12-30 y AAR 
calculated |CONFIRM 
crafted capture file 
MISC 
CVE-2021-4183 
: : Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of not yet CONFIRM 
wireshark -- wireshark service via crafted capture file 2021-12-30 || calculated [MISC 
MISC 
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unauthenticated users to perform Cross-Site Scripting attacks 
against admins. 

















Primary oar P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 not vet e 
wireshark -- wireshark to 3.4.10 allows denial of service via packet injection or crafted 2021-12-30 saledaid MSC 
capture file AIEA. 
MISC 
Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 tyt IEE s 
wireshark -- wireshark to 3.4.10 allows denial of service via packet injection or crafted 2021-12-30 y SANT 
: calculated |CONFIRM 
capture file 
MISC 
CVE-2021-4186 
: : Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows not yet CONFIRM 
wireshark -- wireshark denial of service via packet injection or crafted capture file 2021-12-30 || calculated [MISC 
MISC 
CVE-2021-4190 
wireshark--wireshark Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial 2021-12-30 not yet ||CONFIRM 
of service via packet injection or crafted capture file calculated |MISC 
MISC 
Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to sain oe 
wireshark -- wireshark 3.4.10 allows denial of service via packet injection or crafted 2021-12-30 calculated |CONFIRM 
capture file Ai 
MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in tia WEE =n 
wolfssl -- wolfssl MqttDecode_Disconnect (called from MqttClient_DecodePacket 2022-01-01 y aa 
: F calculated |MISC 
and MattClient_WaitType). 
MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in er noe 
wolfssl -- wolfssl MattClient_DecodePacket (called from MqttClient_WaitType and 2022-01-01 y RTA 
: : calculated ||MISC 
MattClient_Unsubscribe). 
MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 cause e S 
wolfssl -- wolfssl bytes) in MqttDecode_Publish (called from 2022-01-01 Pe ic ina MISC 
MqttClient_DecodePacket and MqttClient_HandlePacket). MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in cast n a 
wolfssl -- wolfssl MattClient_DecodePacket (called from MaqttClient_HandlePacket 2022-01-01 y HIGA 
: calculated |MISC 
and MattClient_WaitType). 
MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in ace: WE =a 
wolfssl -- wolfssl MqttClient_DecodePacket (called from MaqttClient_WaitType and 2022-01-01 y PEA 
: calculated |MISC 
MattClient_Connect). 
MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 Pasi oo 
wolfssl -- wolfssl bytes) in MqttDecode_Publish (called from 2022-01-01 rail MISC 
MattClient_DecodePacket and MqttClient_HandlePacket). MISC 
wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in ie: Ee m= 
wolfssl -- wolfssl MattClient_DecodePacket (called from MqttClient_WaitType and 2022-01-01 y EA 
4 : calculated |MISC 
MattClient_Subscribe). 
MISC 
The Smart Floating / Sticky Buttons WordPress plugin before 
2.5.5 does not sanitise and escape some parameter before 
wordpress -- wordpress outputting them in attributes and page, which could allow high 2021-12-27 not yet CUE 2021-24992 
a : igs calculated |MISC 
privilege users to perform Cross-Site Scripting attacks even when 
the unfiltered_html capability is disallowed. 
The Simple JWT Login WordPress plugin before 3.3.0 can be 
used to create new WordPress user accounts with a randomly 
generated password. The password is generated using the not yet ead eats a99 
wordpress -- wordpress ; i : 2021-12-27 MISC 
str_shuffle PHP function that "does not generate cryptographically calculated CONFIRM 
secure values, and should not be used for cryptographic e ETR 
purposes" according to PHP's documentation. 
The Paid Memberships Pro WordPress plugin before 2.6.6 does 
Wordpress: = wordpress not escape the s parameter before outputting it back in an 2021-12-27 not yet or 
p P attribute in an admin page, leading to a Reflected Cross-Site calculated | ren 
Scripti MISC 
cripting 
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does CVE-2021-24753 
wordpress -- wordpress not properly validate the orderby GET parameter of the pending 2024-12-27 not yet Msc 
reviews page before using it in a SQL statement, leading to an calculated CONFIRM 
authenticated SQL injection issue ee 
The Tickera WordPress plugin before 3.4.8.3 does not properly 
sanitise and escape the Name fields of booked Events before 
wordpress -- wordpress outputting them in the Orders admin dashboard, which could allow || 2021-12-27 Ble cae ae 
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Primary ae P CVSS Source & Patch 
Vendor -- Product Description Published Score Info 
The WordPress Download Manager WordPress plugin before 
3.2.22 does not sanitise and escape Template data before 
outputting it in various pages (such as admin dashboard and T f 
wordpress -- wordpress frontend). Due to the lack of authorisation and CSRF checks in the|| 2021-12-27 Boop a 
wpdm_save_template AJAX action, any authenticated users such CI 
as subscriber is able to call it and perform Cross-Site Scripting 
attacks 
The Typebot | Build beautiful conversational forms WordPress 
plugin before 1.4.3 does not sanitise and escape the Publish ID z r 
wordpress -- wordpress setting, which could allow high privilege users to perform Cross- 2021-12-27 eos a 
Site Scripting attacks even when the unfiltered_html capability is [ar == 
disallowed. 
The Contact Form & Lead Form Elementor Builder WordPress 
plugin before 1.6.4 does not sanitise and escape some lead 7 $ 
wordpress -- wordpress values, which could allow unauthenticated users to perform Cross-|| 2021-12-27 bie oo 
Site Scripting attacks against logged in admin viewing the inserted a 
Leads 
The Gwolle Guestbook WordPress plugin before 4.2.0 does not 
sanitise and escape the gwolle_gb_user_email parameter before not yet ||CVE-2021-24980 
wordpress -- wordpress outputting it back in an attribute, leading to a Reflected Cross-Site 2021-12-27 | calculated [MISC 
Scripting issue in an admin page 
The WP Guppy WordPress plugin before 1.3 does not have any 
authorisation in some of the REST API endpoints, allowing any not vet CVE-2021-24997 
wordpress -- wordpress user to call them and could lead to sensitive information 2021-12-27 Aed MISC 
disclosure, such as usernames and chats between users, as well MISC 
as be able to send messages as an arbitrary user 
The WPFront User Role Editor WordPress plugin before 
3.2.1.11184 does not sanitise and escape the changes-saved not yet |CVE-2021-24984 
Wordpress wordpress parameter before outputting it back in the admin dashboard, 2021-12-27 | calculated MISC 
leading to a Reflected Cross-Site Scripting 
The WP RSS Aggregator WordPress plugin before 4.19.3 does 
not sanitise and escape data before outputting it in the System 
Info admin dashboard, which could lead to a Stored XSS issue 
wordpress -- wordpress due to the wprss_dismiss_addon_notice AJAX action missing 2021-12-27 Pat sian 7 n 
authorisation and CSRF checks, allowing any authenticated users, F 
such as subscriber to call it and set a malicious payload in the 
addon parameter. 
Printchaser v2.2021.804.1 and earlier versions contain a 
F 5 vulnerability, which could allow remote attacker to download and not yet ||CVE-2020-7883 
wowsoft — printchaser_activex execute remote file by setting the argument, variable in the 2021-12-28 || calculated [MISC 
activeX module. This can be leveraged for code execution. 
Yappli is an application development platform which provides the 
function to access a requested URL using Custom URL Scheme. 
apbli=yappii When Android apps are developed with Yappli versions since 2021-12-28 not yet os 
yappll -- yapp v7.3.6 and prior to v9.30.0, they are vulnerable to improper calculated MISC 
authorization in Custom URL Scheme handler, and may be n 
directed to unintended sites via a specially crafted URL. 
ZTE BigVideo Analysis product has a privilege escalation 
PAE ; vulnerability. Due to improper management of the timed task not yet ||CVE-2021-21750 
zte — bigvideo_analysis modification privilege, an attacker with ordinary user permissions 2021-12-27 | calculated [MISC 
could exploit this vulnerability to gain unauthorized access. 
ZTE BigVideo analysis product has an input verification 
vulnerability. Due to the inconsistency between the front and back 
zte -- bigvideo_analysis verifications when configuring the large screen page, an attacker 2021-12-27 Peat ia ee 
with high privileges could exploit this vulnerability to tamper with fe 
the URL and cause service exception. 
é A vulnerability in the 'libsal.so' of the Zyxel GS1900 series 
zyxel- gs1900_tirmware firmware version 2.60 could allow an authenticated local user to 2021-12-28 not yet |CVE-2021-35032 
; 5 F calculated |CONFIRM 
execute arbitrary OS commands via a crafted function call. os, 
A vulnerability in the TFTP client of Zyxel GS1900 series firmware, 
; XGS1210 series firmware, and XGS1250 series firmware, which not yet ||CVE-2021-35031 
zyxel -- multiple_products could allow an authenticated LAN user to execute arbitrary OS 2021-12-28 || calculated [CONFIRM 
commands via the GUI of the vulnerable device. 
A cleartext storage of sensitive information vulnerability in the 
Zyxel -- nbg6604_firmware Zyxel NBG6604 firmware could allow a remote, authenticated 2021-12-20 || Ao yot, ono ae 
attacker to obtain sensitive information from the configuration file. e 
: An insufficient session expiration vulnerability in the CGI program 7 g 
yxel==nbg6c0ifirmware of the Zyxel NBG6604 firmware could allow a remote attackerto | 2021-12-29 || mot yet . r e 
access the device if the correct token can be intercepted. eT 
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